Debian Bug report logs - #639230
[php5] README.Debian.security: unclear reference to unserialize() risk

Package: php5; Maintainer for php5 is (unknown);

Reported by: Filipus Klutiero <chealer@gmail.com>

Date: Thu, 25 Aug 2011 07:09:01 UTC

Severity: minor

Found in version php5/5.3.8-1

Fixed in version php5/5.4.0~rc7-1

Done: "Thijs Kinkhorst" <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639230; Package php5. (Thu, 25 Aug 2011 07:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Filipus Klutiero <chealer@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 25 Aug 2011 07:09:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: php5
Version: 5.3.8-1
Severity: minor

README.Debian.security contains:

> Most specifically, the security team will not provide
> support for flaws in:
>
> - problems which are not flaws in the design of php but can be problematic
>   when used by sloppy developers (for example: not checking the contents
>   of a tar file before extracting it, using unserialize() on
>   untrusted data, or relying on a specific value of short_open_tag).

It is unclear to me how using unserialize() on untrusted data would 
create a particular risk. Do you perhaps mean extract()?

Reply sent to "Thijs Kinkhorst" <thijs@debian.org>:
You have taken responsibility. (Tue, 31 Jan 2012 13:45:12 GMT) (full text, mbox, link).

Notification sent to Filipus Klutiero <chealer@gmail.com>:
Bug acknowledged by developer. (Tue, 31 Jan 2012 13:45:12 GMT) (full text, mbox, link).

Message #10 received at 639230-done@bugs.debian.org (full text, mbox, reply):

Hi,

> README.Debian.security contains:

> > Most specifically, the security team will not provide
> > support for flaws in:
> >
> > - problems which are not flaws in the design of php but can be
problematic
> >   when used by sloppy developers (for example: not checking the contents
> >   of a tar file before extracting it, using unserialize() on
> >   untrusted data, or relying on a specific value of short_open_tag).

> It is unclear to me how using unserialize() on untrusted data would
> create a particular risk. Do you perhaps mean extract()?

README.Debian.security is designed to be a brief overview of what is
supported. Users that want to know more about *why* a certain technique
can be risky, can refer to the PHP manual. On the topic of unserialize(),
this writes:

"If the variable being unserialized is an object, after successfully
reconstructing the object PHP will automatically attempt to call the
__wakeup() member function (if it exists)."

which should clearly illustrate the risk with unserializing untrusted data.


Cheers,
Thijs

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639230; Package php5. (Tue, 31 Jan 2012 23:42:03 GMT) (full text, mbox, link).

Acknowledgement sent to Filipus Klutiero <chealer@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Tue, 31 Jan 2012 23:42:03 GMT) (full text, mbox, link).

Message #15 received at 639230@bugs.debian.org (full text, mbox, reply):

On -28163-01--10 14:59, Thijs Kinkhorst wrote:
> Hi,
>
>> README.Debian.security contains:
>>> Most specifically, the security team will not provide
>>> support for flaws in:
>>>
>>> - problems which are not flaws in the design of php but can be
> problematic
>>>    when used by sloppy developers (for example: not checking the contents
>>>    of a tar file before extracting it, using unserialize() on
>>>    untrusted data, or relying on a specific value of short_open_tag).
>> It is unclear to me how using unserialize() on untrusted data would
>> create a particular risk. Do you perhaps mean extract()?
> README.Debian.security is designed to be a brief overview of what is
> supported. Users that want to know more about *why* a certain technique
> can be risky, can refer to the PHP manual. On the topic of unserialize(),
> this writes:
>
> "If the variable being unserialized is an object, after successfully
> reconstructing the object PHP will automatically attempt to call the
> __wakeup() member function (if it exists)."
>
> which should clearly illustrate the risk with unserializing untrusted data.

Thank you Thijs.

I understand from Thijs's comment that the README is alluding to the 
built-in unserialize() function: 
http://ca.php.net/manual/en/function.unserialize.php
Assuming that is correct, please consider this report a reminder to clarify.

Regarding the risks in the unserialize() function, I happen to think the 
quoted passage is far from a clear illustration and reported upstream 
about this in https://bugs.php.net/bug.php?id=60941

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639230; Package php5. (Thu, 02 Feb 2012 09:18:20 GMT) (full text, mbox, link).

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 02 Feb 2012 09:18:35 GMT) (full text, mbox, link).

Message #20 received at 639230@bugs.debian.org (full text, mbox, reply):

On Wed, February 1, 2012 00:38, Filipus Klutiero wrote:
>>>>    when used by sloppy developers (for example: not checking the
>>>> contents
>>>>    of a tar file before extracting it, using unserialize() on
>>>>    untrusted data, or relying on a specific value of short_open_tag).

> I understand from Thijs's comment that the README is alluding to the
> built-in unserialize() function:
> http://ca.php.net/manual/en/function.unserialize.php
> Assuming that is correct, please consider this report a reminder to
> clarify.

Thanks, but given that unserialize is followed by () it should make it
clear we're referring to a specific function, and the whole document is
clearly in the context of the PHP interpreter. Googling for "php
unserialize" instantly yields the relevant documentation for those who
want to know more. I prefer to keep this brief so it actually gets read,
and don't think further clarification is necessary.

Thijs

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639230; Package php5. (Thu, 02 Feb 2012 17:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Filipus Klutiero <chealer@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 02 Feb 2012 17:45:03 GMT) (full text, mbox, link).

Message #25 received at 639230@bugs.debian.org (full text, mbox, reply):

On 2012-02-02 04:17, Thijs Kinkhorst wrote:
> On Wed, February 1, 2012 00:38, Filipus Klutiero wrote:
>>>>>     when used by sloppy developers (for example: not checking the
>>>>> contents
>>>>>     of a tar file before extracting it, using unserialize() on
>>>>>     untrusted data, or relying on a specific value of short_open_tag).
>> I understand from Thijs's comment that the README is alluding to the
>> built-in unserialize() function:
>> http://ca.php.net/manual/en/function.unserialize.php
>> Assuming that is correct, please consider this report a reminder to
>> clarify.
> Thanks, but given that unserialize is followed by () it should make it
> clear we're referring to a specific function, and the whole document is
> clearly in the context of the PHP interpreter.

It is clear that it refers to a specific function, but it is unclear 
which, it could also refer to Serializable::unserialize().
> Googling for "php
> unserialize" instantly yields the relevant documentation for those who
> want to know more. I prefer to keep this brief so it actually gets read,
> and don't think further clarification is necessary.
>

If we want brevity, I recommend dropping the examples. In fact, from 
what I understand, the entire item should be scrapped.

Bug Marked as fixed in versions php5/5.4.0~rc7-1. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Wed, 08 Feb 2012 19:09:02 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 03 Apr 2012 07:40:42 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 00:31:08 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #639230 [php5] README.Debian.security: unclear reference to unserialize() risk

Debian Bug report logs - #639230
[php5] README.Debian.security: unclear reference to unserialize() risk