Debian Bug report logs - #656442
php-pear: Spurious (and possibly dangerous) file system accesses

version graph

Package: php-mdb2; Maintainer for php-mdb2 is Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>; Source for php-mdb2 is src:php-mdb2 (PTS, buildd, popcon).

Reported by: Matthias Urlichs <matthias@urlichs.de>

Date: Thu, 19 Jan 2012 12:51:01 UTC

Severity: important

Tags: upstream

Merged with 656424

Found in version php-mdb2/2.5.0b2-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#656442; Package php-pear. (Thu, 19 Jan 2012 12:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Matthias Urlichs <matthias@urlichs.de>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 19 Jan 2012 12:51:10 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Matthias Urlichs <matthias@urlichs.de>
To: submit@bugs.debian.org
Subject: php-pear: Spurious (and possibly dangerous) file system accesses
Date: Thu, 19 Jan 2012 13:30:44 +0100
Package: php-pear
Version: 5.3.8.0-1
Severity: important

These lines seem fairly inconspicuous.
/usr/share/php/MDB2/Driver/Datatype/Common.php, line 1227 ff.:

        $value = $db->escape($value, $escape_wildcards);
        if (PEAR::isError($value)) {
            return $value;
        }
        return "'".$value."'";

Interestingly, however, the call to PEAR::isError() causes this to happen:

15663 lstat64("/usr/share/roundcube/program/include/dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs=.php", 0xbff58558) = -1 ENOENT (No such file or directory)
15663 getcwd("/var/lib/roundcube", 4096) = 19
15663 time(NULL)                        = 1326973864
15663 lstat64("/var/lib/roundcube/dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs=.php", 0xbff5a608) = -1 ENOENT (No such file or directory)
15663 open("/var/lib/roundcube/dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs=.php", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
15663 time(NULL)                        = 1326973864
15663 lstat64("/var/lib/roundcube/program/lib/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
15663 getcwd("/var/lib/roundcube", 4096) = 19
15663 time(NULL)                        = 1326973864
15663 lstat64("/var/lib/roundcube/./'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
15663 time(NULL)                        = 1326973864
15663 lstat64("/usr/share/php/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
15663 time(NULL)                        = 1326973864
15663 lstat64("/usr/share/pear/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
15663 time(NULL)                        = 1326973864
15663 lstat64("/usr/share/roundcube/program/include/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
15663 getcwd("/var/lib/roundcube", 4096) = 19
15663 time(NULL)                        = 1326973864
15663 lstat64("/var/lib/roundcube/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff5aaa8) = -1 ENOENT (No such file or directory)
15663 open("/var/lib/roundcube/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)

This also happens for entire SQL commands, e.g.:
15663 lstat64("/var/lib/roundcube/program/lib/SELECT vars, ip, changed FROM session WHERE sess_id = ?.php", 0xbff56488) = -1 ENOENT (No such file or directory)

Frankly, I could *not* believe my eyes.

I don't know whether this has any security implications.
If so, I wouldn't be too surprised.

Anyway, I don't know the reason for this nonsense, but it needs to be stopped.
30 spurious file system calls for every SQL command is really pushing it.
(Assuming that the typical SQL statement has two string parameters.)

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (700, 'testing'), (650, 'unstable'), (600, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.1.0-1-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php-mdb2 depends on:
ii  php-pear  5.3.8.0-1

php-mdb2 recommends no packages.

php-mdb2 suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#656442; Package php-pear. (Mon, 09 Apr 2012 10:03:48 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 09 Apr 2012 10:03:50 GMT) (full text, mbox, link).

Message #10 received at 656442@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>
To: Matthias Urlichs <matthias@urlichs.de>, 656442@bugs.debian.org, php-mdb2@packages.debian.org
Cc: control@bugs.debian.org
Subject: Re: [php-maint] Bug#656442: php-pear: Spurious (and possibly dangerous) file system accesses
Date: Mon, 9 Apr 2012 12:02:24 +0200
reassign 656442 php-mdb2
thank you

Matthias,

I don't think that PEAR is here at fault, the isError routine is fairly simple:

    function isError($data, $code = null)
    {
        if (!is_a($data, 'PEAR_Error')) {
            return false;
        }

        if (is_null($code)) {
            return true;
        } elseif (is_string($code)) {
            return $data->getMessage() == $code;
        }

        return $data->getCode() == $code;
    }


Thus is looks like the error is in the returned datatype from escape()
function on calls to ->getMessage() and getCode().

I am reassigning the bug to php-mdb2 package since it's probably closer there.

Ondrej

On Thu, Jan 19, 2012 at 13:30, Matthias Urlichs <matthias@urlichs.de> wrote:
> Package: php-pear
> Version: 5.3.8.0-1
> Severity: important
>
> These lines seem fairly inconspicuous.
> /usr/share/php/MDB2/Driver/Datatype/Common.php, line 1227 ff.:
>
>        $value = $db->escape($value, $escape_wildcards);
>        if (PEAR::isError($value)) {
>            return $value;
>        }
>        return "'".$value."'";
>
> Interestingly, however, the call to PEAR::isError() causes this to happen:
>
> 15663 lstat64("/usr/share/roundcube/program/include/dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs=.php", 0xbff58558) = -1 ENOENT (No such file or directory)
> 15663 getcwd("/var/lib/roundcube", 4096) = 19
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/var/lib/roundcube/dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs=.php", 0xbff5a608) = -1 ENOENT (No such file or directory)
> 15663 open("/var/lib/roundcube/dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs=.php", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/var/lib/roundcube/program/lib/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
> 15663 getcwd("/var/lib/roundcube", 4096) = 19
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/var/lib/roundcube/./'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/usr/share/php/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/usr/share/pear/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/usr/share/roundcube/program/include/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff589f8) = -1 ENOENT (No such file or directory)
> 15663 getcwd("/var/lib/roundcube", 4096) = 19
> 15663 time(NULL)                        = 1326973864
> 15663 lstat64("/var/lib/roundcube/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", 0xbff5aaa8) = -1 ENOENT (No such file or directory)
> 15663 open("/var/lib/roundcube/'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs='.php", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
>
> This also happens for entire SQL commands, e.g.:
> 15663 lstat64("/var/lib/roundcube/program/lib/SELECT vars, ip, changed FROM session WHERE sess_id = ?.php", 0xbff56488) = -1 ENOENT (No such file or directory)
>
> Frankly, I could *not* believe my eyes.
>
> I don't know whether this has any security implications.
> If so, I wouldn't be too surprised.
>
> Anyway, I don't know the reason for this nonsense, but it needs to be stopped.
> 30 spurious file system calls for every SQL command is really pushing it.
> (Assuming that the typical SQL statement has two string parameters.)
>
> -- System Information:
> Debian Release: wheezy/sid
>  APT prefers testing
>  APT policy: (700, 'testing'), (650, 'unstable'), (600, 'stable')
> Architecture: i386 (i686)
>
> Kernel: Linux 3.1.0-1-686-pae (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages php-mdb2 depends on:
> ii  php-pear  5.3.8.0-1
>
> php-mdb2 recommends no packages.
>
> php-mdb2 suggests no packages.
>
> -- no debconf information
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint



-- 
Ondřej Surý <ondrej@sury.org>

Bug reassigned from package 'php-pear' to 'php-mdb2'. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Mon, 09 Apr 2012 10:03:54 GMT) (full text, mbox, link).

No longer marked as found in versions php5/5.3.8.0-1. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Mon, 09 Apr 2012 10:03:55 GMT) (full text, mbox, link).

Marked as found in versions php-mdb2/2.5.0b2-1. Request was from Prach Pongpanich <prachpub@gmail.com> to control@bugs.debian.org. (Mon, 29 Apr 2013 07:06:04 GMT) (full text, mbox, link).

Merged 656424 656442 Request was from Prach Pongpanich <prachpub@gmail.com> to control@bugs.debian.org. (Mon, 29 Apr 2013 07:06:06 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from David Prévot <taffit@debian.org> to control@bugs.debian.org. (Sun, 13 Mar 2016 19:30:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 02:05:38 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.