Debian Bug report logs - #508021
php apache/2 SAPI php_getuid() overload

version graph

Package: php5; Maintainer for php5 is Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>; Source for php5 is src:php5.

Reported by: Raphael Geissert <atomo64@gmail.com>

Date: Sun, 7 Dec 2008 00:33:01 UTC

Severity: important

Tags: patch, security

Found in version php5/5.2.0-1

Fixed in version 5.2.6.dfsg.1-1

Done: sean finney <seanius@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#508021; Package php5. (Sun, 07 Dec 2008 00:33:04 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <atomo64@gmail.com>
To: submit@bugs.debian.org
Subject: php apache/2 SAPI php_getuid() overload
Date: Sat, 6 Dec 2008 18:25:44 -0600
[Message part 1 (text/plain, inline)]
Source: php5
Version: 5.2.0-1
Severity: important
Tags: security patch

Hi,

This is the item mentioned in 5.2.7's NEWS:
> 	- Fixed missing initialization of BG(page_uid) and BG(page_gid),
> 	  reported by Maksymilian Arciemowicz. (Stas)

SecurityReason's advisory can be found at [1], patch at [2].

Note: this issue probably affects php4 as well (apache and apache2 SAPIs).

[1]http://securityreason.com/achievement_securityalert/59
[2]http://cvs.php.net/viewvc.cgi/php-src/sapi/apache/mod_php5.c?r1=1.19.2.7.2.15&r2=1.19.2.7.2.16&diff_format=u
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.725.2.31.2.78&r2=1.725.2.31.2.79&diff_format=u

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#508021; Package php5. (Sun, 07 Dec 2008 23:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 07 Dec 2008 23:21:04 GMT) Full text and rfc822 format available.

Message #8 received at 508021@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: Raphael Geissert <atomo64@gmail.com>, 508021@bugs.debian.org
Subject: Re: [php-maint] Bug#508021: php apache/2 SAPI php_getuid() overload
Date: Mon, 8 Dec 2008 00:17:01 +0100
[Message part 1 (text/plain, inline)]
hiya,

On Sat, Dec 06, 2008 at 06:25:44PM -0600, Raphael Geissert wrote:
> [1]http://securityreason.com/achievement_securityalert/59
> [2]http://cvs.php.net/viewvc.cgi/php-src/sapi/apache/mod_php5.c?r1=1.19.2.7.2.15&r2=1.19.2.7.2.16&diff_format=u
> http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.725.2.31.2.78&r2=1.725.2.31.2.79&diff_format=u

the first patch in [2] is for the apache 1.x sapi, which isn't currently
relevant for lenny/sid, though it is for etch which still has the 1.x sapi
built.  

it looks like the api between 1.x and 2.x is quite different, so do
you think it's safe to assume that only the second one is needed for
lenny/sid?  i looked in the CVS commit list around that date and didn't
see any other changes for this issue, at least.


	sean
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#508021; Package php5. (Mon, 08 Dec 2008 23:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Raphael Geissert" <atomo64@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 08 Dec 2008 23:57:06 GMT) Full text and rfc822 format available.

Message #13 received at 508021@bugs.debian.org (full text, mbox):

From: "Raphael Geissert" <atomo64@gmail.com>
To: 508021@bugs.debian.org
Subject: Re: [php-maint] Bug#508021: Bug#508021: php apache/2 SAPI php_getuid() overload
Date: Mon, 8 Dec 2008 17:56:07 -0600
Hey,

2008/12/7 sean finney <seanius@debian.org>:
> hiya,
>
> On Sat, Dec 06, 2008 at 06:25:44PM -0600, Raphael Geissert wrote:
>> [1]http://securityreason.com/achievement_securityalert/59
>> [2]http://cvs.php.net/viewvc.cgi/php-src/sapi/apache/mod_php5.c?r1=1.19.2.7.2.15&r2=1.19.2.7.2.16&diff_format=u
>> http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.725.2.31.2.78&r2=1.725.2.31.2.79&diff_format=u
>
> the first patch in [2] is for the apache 1.x sapi, which isn't currently
> relevant for lenny/sid, though it is for etch which still has the 1.x sapi
> built.

Didn't see it was against the apache 1.x SAPI; although it is useful
for etch anyway :)

>
> it looks like the api between 1.x and 2.x is quite different, so do
> you think it's safe to assume that only the second one is needed for
> lenny/sid?  i looked in the CVS commit list around that date and didn't
> see any other changes for this issue, at least.
>

Yeah, I think it is the only one we need for lenny/sid.

From apache2handler/sapi_apache2.c:
> static int php_handler(request_rec *r)
> {
[...]
>        /* apply_config() needs r in some cases, so allocate server_context early */
>        ctx = SG(server_context);
>        if (ctx == NULL || (ctx && ctx->request_processed && !strcmp(r->protocol, "INCLUDED"))) {
normal:
>                ctx = SG(server_context) = apr_pcalloc(r->pool, sizeof(*ctx));
>                /* register a cleanup so we clear out the SG(server_context)
>                 * after each request. Note: We pass in the pointer to the
>                 * server_context in case this is handled by a different thread.
>                 */
[...]
> zend_first_try {
[...]

php_handler sounds like apache2handler's equiv of apache's php_run
(which is where the other patch was applied). So it looks fine
(although I'm not familiar at all with apache's SAPI-related stuff).


>
>        sean
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iD8DBQFJPFltynjLPm522B0RAg81AJ9dxW/NAdxqIiYqmo/STUBZhpFu6ACcCvHO
> +x4AnUNcSatjf3Glxy9vmlM=
> =pfXj
> -----END PGP SIGNATURE-----
>


Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

Marie von Ebner-Eschenbach  - "Even a stopped clock is right twice a day."




Reply sent to sean finney <seanius@debian.org>:
You have taken responsibility. (Sun, 18 Jan 2009 18:45:09 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Sun, 18 Jan 2009 18:45:09 GMT) Full text and rfc822 format available.

Message #18 received at 508021-done@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: 508021-done@bugs.debian.org
Subject: fixed in 5.2.6.dfsg.1-1
Date: Sun, 18 Jan 2009 19:44:31 +0100
[Message part 1 (text/plain, inline)]
Version: 5.2.6.dfsg.1-1

this bug was fixed in the above version, though the bug id slipped through
the upload process.  the svn trunk changelog has been updated to reference
the CVE.


	sean

-- 
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 22 Mar 2009 07:27:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 17:05:23 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.