Debian Bug report logs -
#291410
libapache2-mod-php4: curl_init() allows to bypass open_basedir restrictions
Reported by: Martin Pitt <mpitt@debian.org>
Date: Thu, 20 Jan 2005 16:33:08 UTC
Severity: normal
Tags: patch, security
Found in version 4:4.3.10-2pitti1
Fixed in version php4/4:4.3.10-3
Done: Adam Conrad <adconrad@0c3.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Adam Conrad <adconrad@0c3.net>:
Bug#291410; Package libapache2-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
New Bug report received and forwarded. Copy sent to Adam Conrad <adconrad@0c3.net>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libapache2-mod-php4
Version: 4:4.3.10-2pitti1
Severity: important
Tags: security patch
Hi!
I fixed a pretty old vulnerability in PHP4's cURL module, see
http://www.securitytracker.com/alerts/2004/Oct/1011984.html
for details. The Ubuntu patch is at
http://patches.ubuntu.com/patches/php4.curl-open_basedir.diff
The current upstream CVS HEAD is still not fixed, could you please
pass this to upstream?
I do not consider this issue overly critical, but it would be nice to
eventually fix this.
Thanks for considering and have a nice day,
Martin
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages libapache2-mod-php4 depends on:
ii apache2-mpm-prefork 2.0.52-3 Traditional model for Apache2
ii libbz2-1.0 1.0.2-1 A high-quality block-sorting file
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libdb4.2 4.2.52-17 Berkeley v4.2 Database Libraries [
ii libexpat1 1.95.8-1 XML parsing C library - runtime li
ii libmagic1 4.12-1 File type determination library us
ii libpcre3 4.5-1.1 Perl 5 Compatible Regular Expressi
ii libssl0.9.7 0.9.7e-2 SSL shared libraries
ii mime-support 3.28-1 MIME files 'mime.types' & 'mailcap
ii php4-common 4:4.3.10-2pitti1 Common files for packages built fr
ii zlib1g 1:1.2.2-3 compression library - runtime
-- no debconf information
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Conrad <adconrad@0c3.net>:
Bug#291410; Package libapache2-mod-php4.
(full text, mbox, link).
Acknowledgement sent to adconrad@0c3.net:
Extra info received and forwarded to list. Copy sent to Adam Conrad <adconrad@0c3.net>.
(full text, mbox, link).
Message #10 received at 291410@bugs.debian.org (full text, mbox, reply):
Martin Pitt said:
>
> I fixed a pretty old vulnerability in PHP4's cURL module, see
>
> http://www.securitytracker.com/alerts/2004/Oct/1011984.html
>
> for details. The Ubuntu patch is at
>
> http://patches.ubuntu.com/patches/php4.curl-open_basedir.diff
Have you seen the thread at [1]?... I haven't checked yet, but does your
patch fully address the different ways you can construct a "file://" URI
(with and without hostname, etc?)
> The current upstream CVS HEAD is still not fixed, could you please
> pass this to upstream?
According to the above thread, upstream will never accept this, as they're
stubborn twits. (Well, the stubborn twits bit is my own estimate), but
I'll be happy to add a patch permanently to the Debian sources of both
php4 and php5, if we can make it as clean, simple, and foolproof as
possible.
I can attempt to ping upstream with said patch and convince someone to
commit it once it meets the above criteria (which it may already, I'll
check your patch later today -- thanks).
... Adam
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Conrad <adconrad@0c3.net>:
Bug#291410; Package libapache2-mod-php4.
(full text, mbox, link).
Acknowledgement sent to adconrad@0c3.net:
Extra info received and forwarded to list. Copy sent to Adam Conrad <adconrad@0c3.net>.
(full text, mbox, link).
Message #15 received at 291410@bugs.debian.org (full text, mbox, reply):
The previous mail would have made a lot more sense if I'd actually
remembered to add the footnote[1] I referenced. :)
... Adam
[1] http://marc.theaimsgroup.com/?t=109903283400002&r=1&w=4
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Conrad <adconrad@0c3.net>:
Bug#291410; Package libapache2-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Adam Conrad <adconrad@0c3.net>.
(full text, mbox, link).
Message #20 received at 291410@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
severity 291410 normal
thanks
Hi Adam!
Adam Conrad [2005-01-21 9:45 +1000]:
> Martin Pitt said:
> >
> > I fixed a pretty old vulnerability in PHP4's cURL module, see
> >
> > http://www.securitytracker.com/alerts/2004/Oct/1011984.html
> >
> > for details. The Ubuntu patch is at
> >
> > http://patches.ubuntu.com/patches/php4.curl-open_basedir.diff
>
> Have you seen the thread at [1]?...
No, thanks for that pointer. I already knew that PHP's safe mode is
not really safe, but I didn't expect that upstream actively ignores
patches to at least improve it a little.
> I haven't checked yet, but does your patch fully address the
> different ways you can construct a "file://" URI (with and without
> hostname, etc?)
Erm, you can construct file:// URLs with a _hostname_? If that is
possible, then my patch will probably forbid too much (since e. g.
file://remotehost/path/to/my/file is probably not in open_basedir).
The patch is really simple, if you have a file:// URL, then the
"file://" prefix is stripped and the rest of the string (which is then
the pure file path) is checked with php_check_open_basedir(). I tested
this on my server (which happens to run php) and it works very well.
> According to the above thread, upstream will never accept this, as they're
> stubborn twits. (Well, the stubborn twits bit is my own estimate), but
> I'll be happy to add a patch permanently to the Debian sources of both
> php4 and php5, if we can make it as clean, simple, and foolproof as
> possible.
The patch is very simple and obvious (and clean), however, if there
are such weird constructions like remote file URLs, it is incomplete.
It was easy to write, and naively as I am I don't really see why
fopen() should bother about open_basedir, and curl_init() shouldn't,
so I just included it in a security update (which I had to do anyway)
and the Ubuntu unstable branch.
However, if upstream officially says that open_basedir, safe mode and
all that is neither working nor supported anyway, then it might not
have too much sense to maintain this patch.
> I can attempt to ping upstream with said patch and convince someone to
> commit it once it meets the above criteria (which it may already, I'll
> check your patch later today -- thanks).
Thanks for your efforts! I downgraded the bug a little, and if
upstream refuses to fix this (at whatever API level they deem
appropriate), just close this bug.
Have a nice day!
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org
[signature.asc (application/pgp-signature, inline)]
Severity set to `normal'.
Request was from Martin Pitt <mpitt@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Adam Conrad <adconrad@0c3.net>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Martin Pitt <mpitt@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #27 received at 291410-close@bugs.debian.org (full text, mbox, reply):
Source: php4
Source-Version: 4:4.3.10-3
We believe that the bug you reported is fixed in the latest version of
php4, which is due to be installed in the Debian FTP archive:
caudium-php4_4.3.10-3_i386.deb
to pool/main/p/php4/caudium-php4_4.3.10-3_i386.deb
caudium-php4_4.3.10-3_powerpc.deb
to pool/main/p/php4/caudium-php4_4.3.10-3_powerpc.deb
libapache-mod-php4_4.3.10-3_i386.deb
to pool/main/p/php4/libapache-mod-php4_4.3.10-3_i386.deb
libapache-mod-php4_4.3.10-3_powerpc.deb
to pool/main/p/php4/libapache-mod-php4_4.3.10-3_powerpc.deb
libapache2-mod-php4_4.3.10-3_i386.deb
to pool/main/p/php4/libapache2-mod-php4_4.3.10-3_i386.deb
libapache2-mod-php4_4.3.10-3_powerpc.deb
to pool/main/p/php4/libapache2-mod-php4_4.3.10-3_powerpc.deb
php4-cgi_4.3.10-3_i386.deb
to pool/main/p/php4/php4-cgi_4.3.10-3_i386.deb
php4-cgi_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-cgi_4.3.10-3_powerpc.deb
php4-cli_4.3.10-3_i386.deb
to pool/main/p/php4/php4-cli_4.3.10-3_i386.deb
php4-cli_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-cli_4.3.10-3_powerpc.deb
php4-common_4.3.10-3_i386.deb
to pool/main/p/php4/php4-common_4.3.10-3_i386.deb
php4-common_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-common_4.3.10-3_powerpc.deb
php4-curl_4.3.10-3_i386.deb
to pool/main/p/php4/php4-curl_4.3.10-3_i386.deb
php4-curl_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-curl_4.3.10-3_powerpc.deb
php4-dev_4.3.10-3_all.deb
to pool/main/p/php4/php4-dev_4.3.10-3_all.deb
php4-domxml_4.3.10-3_i386.deb
to pool/main/p/php4/php4-domxml_4.3.10-3_i386.deb
php4-domxml_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-domxml_4.3.10-3_powerpc.deb
php4-gd_4.3.10-3_i386.deb
to pool/main/p/php4/php4-gd_4.3.10-3_i386.deb
php4-gd_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-gd_4.3.10-3_powerpc.deb
php4-imap_4.3.10-3_i386.deb
to pool/main/p/php4/php4-imap_4.3.10-3_i386.deb
php4-imap_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-imap_4.3.10-3_powerpc.deb
php4-ldap_4.3.10-3_i386.deb
to pool/main/p/php4/php4-ldap_4.3.10-3_i386.deb
php4-ldap_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-ldap_4.3.10-3_powerpc.deb
php4-mcal_4.3.10-3_i386.deb
to pool/main/p/php4/php4-mcal_4.3.10-3_i386.deb
php4-mcal_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-mcal_4.3.10-3_powerpc.deb
php4-mhash_4.3.10-3_i386.deb
to pool/main/p/php4/php4-mhash_4.3.10-3_i386.deb
php4-mhash_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-mhash_4.3.10-3_powerpc.deb
php4-mysql_4.3.10-3_i386.deb
to pool/main/p/php4/php4-mysql_4.3.10-3_i386.deb
php4-mysql_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-mysql_4.3.10-3_powerpc.deb
php4-odbc_4.3.10-3_i386.deb
to pool/main/p/php4/php4-odbc_4.3.10-3_i386.deb
php4-odbc_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-odbc_4.3.10-3_powerpc.deb
php4-pear_4.3.10-3_all.deb
to pool/main/p/php4/php4-pear_4.3.10-3_all.deb
php4-recode_4.3.10-3_i386.deb
to pool/main/p/php4/php4-recode_4.3.10-3_i386.deb
php4-recode_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-recode_4.3.10-3_powerpc.deb
php4-snmp_4.3.10-3_i386.deb
to pool/main/p/php4/php4-snmp_4.3.10-3_i386.deb
php4-snmp_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-snmp_4.3.10-3_powerpc.deb
php4-sybase_4.3.10-3_i386.deb
to pool/main/p/php4/php4-sybase_4.3.10-3_i386.deb
php4-sybase_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-sybase_4.3.10-3_powerpc.deb
php4-xslt_4.3.10-3_i386.deb
to pool/main/p/php4/php4-xslt_4.3.10-3_i386.deb
php4-xslt_4.3.10-3_powerpc.deb
to pool/main/p/php4/php4-xslt_4.3.10-3_powerpc.deb
php4_4.3.10-3.diff.gz
to pool/main/p/php4/php4_4.3.10-3.diff.gz
php4_4.3.10-3.dsc
to pool/main/p/php4/php4_4.3.10-3.dsc
php4_4.3.10-3_all.deb
to pool/main/p/php4/php4_4.3.10-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 291410@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated php4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 6 Feb 2005 05:32:11 -0700
Source: php4
Binary: php4-cgi php4-sybase php4-recode libapache-mod-php4 php4-cli php4-dev libapache2-mod-php4 php4-snmp php4-odbc php4-xslt php4-mysql php4-domxml php4-gd php4-ldap php4-imap php4-common php4-curl php4 php4-pear php4-mcal caudium-php4 php4-mhash
Architecture: all i386 powerpc source
Version: 4:4.3.10-3
Distribution: unstable
Urgency: medium
Maintainer: Adam Conrad <adconrad@0c3.net>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
caudium-php4 - server-side, HTML-embedded scripting language (caudium module)
libapache-mod-php4 - server-side, HTML-embedded scripting language (apache 1.3 module)
libapache2-mod-php4 - server-side, HTML-embedded scripting language (apache 2.0 module)
php4-cgi - server-side, HTML-embedded scripting language (CGI binary)
php4-cli - command-line interpreter for the php4 scripting language
php4-common - Common files for packages built from the php4 source
php4-curl - CURL module for php4
php4-domxml - XMLv2 module for php4
php4-gd - GD module for php4
php4-imap - IMAP module for php4
php4-ldap - LDAP module for php4
php4-mcal - MCAL calendar module for php4
php4-mhash - MHASH module for php4
php4-mysql - MySQL module for php4
php4-odbc - ODBC module for php4
php4-recode - Character recoding module for php4
php4-snmp - SNMP module for php4
php4-sybase - Sybase / MS SQL Server module for php4
php4-xslt - XSLT module for php4
Closes: 264015 278212 286225 288534 288672 288679 288909 291392 291410
Changes:
php4 (4:4.3.10-3) unstable; urgency=medium
.
* Update to CVS, as of 200502060530 (closes: #288672)
- File uploads with "'" in them aren't cut off anymore (closes: #288679)
- unserialize() is no longer ridiculously slow (closes: #291392)
- Add 000-200502060530_CVS.patch
- Adapt debian/rules to the realities of upstream's new buildconf
- Add 033-we_WANT_libtool.patch, to force relibtoolizing with Debian's
libtool, rather than using upstream's broken bundled libtool
- Drop 031_zend_strtod_1.1.2.10.patch and 032_zend_strtod_debian.patch
- Adjust patches for offsets and fuzz
- Force --with-pic, as policy demands it, and the build system doesn't
* Added several patches, yanked from the Fedora PHP sources:
- 034-apache2_umask_fix.patch, fixes umask not being properly reset
after each request (closes: #286225)
- 036-fd_setsize_fix.patch, fixes misuse of FD_SET()
- 038-round_test_fix.patch, makes the rounding test work on gcc-3.3
* Removed --with-libedit, as being able to background php is more useful,
in my opinion, than using readline functions (see #286356)
* Include zip support in all SAPIs (closes: #288534, #288909)
* Enable Zend Thread Safety for all SAPIs, meaning that our modules
are now compiled for ZTS APIs as well. (closes: #278212, #264015)
- Make sure caudium-php4 now provides phpapi-$(ver), and modules can
be configured with the caudium SAPI.
- Add 039-reentrant_libs.patch to link to the reentrant versions of
libldap and libmysqlclient
* Stop suggesting phpdoc, as it's undistributable anyway.
* Add 040-curl_open_basedir.patch, to make php4-curl respect the value
of open_basedir, thanks to Martin Pitt (closes: #291410)
* Add 041-shut_up_snmp.patch, to prevent libsnmp5 from attempting (and
failing) to write persistent data every time it shuts down. Ugh.
Files:
0235dc27a821dcbfd125bbe8a28de94f 1679786 web optional php4-cli_4.3.10-3_powerpc.deb
02d13fa04398cb0f5ad3238869b669f9 27668 web optional php4-odbc_4.3.10-3_i386.deb
04e8b767f856111b606d8f4531a16653 38792 web optional php4-imap_4.3.10-3_powerpc.deb
050bb39c66893a67798861d3be7737bb 163578 web optional php4-common_4.3.10-3_powerpc.deb
0904140269e197c60d703c73dfc0c50d 23986 web optional php4-sybase_4.3.10-3_powerpc.deb
1679f347deede4eed2ffe22bf4ebb875 163540 web optional php4-common_4.3.10-3_i386.deb
188774c5d0414bd786173af371e51789 743756 web optional php4_4.3.10-3.diff.gz
1a0eeb93290c8abbdc1d892dbd8ec3b8 1642072 web optional libapache2-mod-php4_4.3.10-3_i386.deb
1a4b90442839741e4e7c3c07ad3703fe 21924 web optional php4-ldap_4.3.10-3_powerpc.deb
1d4c1e68b92e089bffcc44c461ffc42f 1695270 web optional libapache-mod-php4_4.3.10-3_powerpc.deb
22034bb585c4409bae4b7628747e348f 349560 devel optional php4-dev_4.3.10-3_all.deb
2450109b8e0718c46fba61c5c5c2a6fd 29656 web optional php4-odbc_4.3.10-3_powerpc.deb
2f8de8ab714ad126ee3c2bde99aae7fa 18548 web optional php4-xslt_4.3.10-3_powerpc.deb
3848647260ccc77e14b99b849c371c41 21892 web optional php4-sybase_4.3.10-3_i386.deb
3ed38f3008c9fc0aa1cdf140cdd3e731 17884 web optional php4-mcal_4.3.10-3_i386.deb
3f6f207d435aafaf9f50b90a2ca933f9 38112 web optional php4-imap_4.3.10-3_i386.deb
5a9464d930731577a9ef76c90c7c2778 3267714 web optional php4-cgi_4.3.10-3_i386.deb
64ebb2341f935118d0e647dbf4930f88 249906 web optional php4-pear_4.3.10-3_all.deb
75653d01536d7e78c8d098af5c7fad9e 17918 web optional php4-curl_4.3.10-3_i386.deb
78fd7a6e240d75118004e554ba250ae7 9676 web optional php4-mhash_4.3.10-3_powerpc.deb
7edcdd682532b24889e2f1135f3dd536 1638584 web optional caudium-php4_4.3.10-3_i386.deb
cfa5e8fe8c157eb04758cc604dbb79dc 1707 web optional php4_4.3.10-3.dsc
8a3d12010fe9ba3751a7ce9959ea4af8 23948 web optional php4-mysql_4.3.10-3_powerpc.deb
8c6dae2a6a2266422a84d8c33a43f3b1 32786 web optional php4-gd_4.3.10-3_i386.deb
931019210f1628fe7b1c20a63a27d51d 13414 web optional php4-snmp_4.3.10-3_i386.deb
9667403ca2c3d56ed826a27508efe46e 1693116 web optional libapache2-mod-php4_4.3.10-3_powerpc.deb
9917d6a2f476665445143b392d8c3013 15244 web optional php4-snmp_4.3.10-3_powerpc.deb
9ec4dc2e28aefc12bc787598ed2d7f4b 7982 web optional php4-mhash_4.3.10-3_i386.deb
a29e978999dc50cda94767e08dcdbdd0 19990 web optional php4-mcal_4.3.10-3_powerpc.deb
a6e9e918446f372ef1f7f146bb99deca 19830 web optional php4-curl_4.3.10-3_powerpc.deb
af362440ac8586cfa9bf0f6e1e906682 38334 web optional php4-domxml_4.3.10-3_i386.deb
b9bd6a3e5bf38c67829c308b880a4fa9 1328 web optional php4_4.3.10-3_all.deb
c132e3bf5a5b0f937491951342d0ee4d 7798 web optional php4-recode_4.3.10-3_i386.deb
c3571ab43492f31a58c08699b53f8cc0 1643740 web optional libapache-mod-php4_4.3.10-3_i386.deb
c5d7a38f23f8b91257e7670d6e24a1ac 9388 web optional php4-recode_4.3.10-3_powerpc.deb
c7fbbdff433c64b9571d28b5f3152a3d 35336 web optional php4-gd_4.3.10-3_powerpc.deb
c9d7bebb9f392f5b3bc1222ce5800ae6 20236 web optional php4-ldap_4.3.10-3_i386.deb
d8f7f687c22147e5b408167394e19e42 16670 web optional php4-xslt_4.3.10-3_i386.deb
e17393db3346da81a4a8430982459500 40026 web optional php4-domxml_4.3.10-3_powerpc.deb
e655825259073f699da5cf48e5256d29 22582 web optional php4-mysql_4.3.10-3_i386.deb
ee4ac9ff487039d8f9f56909a630a5f1 3347194 web optional php4-cgi_4.3.10-3_powerpc.deb
f401315647e53a1138acfeac874149f3 1689340 web optional caudium-php4_4.3.10-3_powerpc.deb
fc7008cb97dfe57a6854f404b7619821 1638894 web optional php4-cli_4.3.10-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCB01wvjztR8bOoMkRAgUcAKCN7S87xCr/S6FhJGRCWtb2L3iHIwCg0mKM
XnSmmkCSAPgfj00tc9LECPA=
=Auqt
-----END PGP SIGNATURE-----
Bug unarchived.
Request was from Stefano Zacchiroli <zack@debian.org>
to control@bugs.debian.org.
(Sun, 10 Apr 2011 08:44:56 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 09 May 2011 07:33:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Oct 11 12:08:17 2017;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.