Summary: | app-admin/php-toolkit <1.0.1 php-select can lowercase APACHE2_OPTS="-D PHP5" (CVE-2008-1734) | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Toni Arnold <toni__arnold> | ||||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | normal | CC: | eXt, mbartoszkiewicz, php-bugs, prote, syscon780 | ||||||||||
Priority: | High | ||||||||||||
Version: | unspecified | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | A3 [glsa] | ||||||||||||
Package list: | Runtime testing required: | --- | |||||||||||
Attachments: |
|
Description
Toni Arnold
2008-02-10 14:44:27 UTC
Created attachment 143120 [details]
emerge --info
dev-lang/php-5.2.5_p20080206 doesn't touch APACHE2_OPTS in /etc/conf.d/apache2 *at* *all*. Please, verify facts before filing bugs. Ok, verified a 3rd time (emerging php always takes some time): [/etc/conf.d]# cp apache2 apache2.old [/etc/conf.d]# emerge php [/etc/conf.d]# diff -u apache2.old apache2 --- apache2.old 2008-02-10 15:55:45.000000000 +0100 +++ apache2 2008-02-10 16:10:43.000000000 +0100 @@ -32,8 +32,8 @@ # SSL_DEFAULT_VHOST Enables default vhost for SSL (you should enable this # when you enable SSL) # -#APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D MANUAL -D SSL -D SSL_DEFAULT_VHOST -D USERDIR -D PHP5" -APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D MANUAL -D SSL -D SSL_DEFAULT_VHOST -D USERDIR -D PHP5" +#APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D MANUAL -D SSL -D SSL_DEFAULT_VHOST -D USERDIR -D php5" +APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D MANUAL -D SSL -D SSL_DEFAULT_VHOST -D USERDIR -D php5" # Extended options for advanced uses of Apache ONLY # You don't need to edit these unless you are doing crazy Apache stuff Created attachment 143124 [details, diff]
diff -Nau php-5.2.5-r1.ebuild php-5.2.5_p20080206.ebuild
Right, lets see then... If you could point me to the line which 'lowercases' your -D PHP5 in the above diff, we'll be happy to fix it.
More specifically, the only thing that the ebuild/eclass does is calling php-select from app-admin/php-toolkit - which wasn't touched, hmmm.... since 25 Aug 2006.
Innocense of p20080206 confirmed: I masked php-5.2.5_p20080206, emerged php-5.2.5-r1 and subsequently php-5.2.4_pre200708051230-r2 and always got the same problem. As I didn't have php in world, I upgraded indirectly, but I didn't use it for some time, so I can't say when exactly the problem begun. Wed May 30 11:41:44 2007 >>> dev-lang/php-5.2.2-r1 Tue Oct 9 13:11:40 2007 >>> dev-lang/php-5.2.4_p20070914-r2 Sun Feb 10 12:23:05 2008 >>> dev-lang/php-5.2.5_p20080206 My php-toolkit is Sat Sep 9 11:22:06 2006 >>> app-admin/php-toolkit-1.0-r2 This bug is a mystery to me, as it is so easily reproducible and should bite anyone using php. Well, fix your APACHE2_OPTS, run php-select apache2 php5 and check again. If it breaks, post `echo php5 | tr [a-z] [A-Z]` output. [/etc/conf.d]# php-select apache2 php5 Apache conf.d file updated. For this change to take effect, you must restart the Apache webserver using this command: /etc/init.d/apache2 restart -> This doesn't change the correct apache2 file (except updating mtime). Its output appears in the emerge output, too. Interactively, [/etc/conf.d]# echo php5 | tr [a-z] [A-Z] PHP5 works as expected. Well, the above is exactly what the ebuild does. No idea, sorry. No idea, neither. Just emerged php twice on my 2nd gentoo box without any issue (it didn't touch /etc/conf.d/apache2, no output from php-config). genlop -l of the former starts at Sat Mar 13 16:09:38 2004 and the latter at Wed Feb 21 11:34:09 2007, maybe I should sometime consider a 'findcruft' day... Created attachment 143194 [details, diff]
libapache.sh.patch
You can try this patch but I wouldn't be too optimistic... :P
*** Bug 211599 has been marked as a duplicate of this bug. *** *** Bug 212954 has been marked as a duplicate of this bug. *** Anyone can test the patch, or... ? And BTW, I'd frankly like to see the whole thing messing with APACHE2_OPTS in the eclass go to /dev/null. No other apache module ebuild is going similar things, why should PHP? Users can enable the module themselves. Created attachment 146051 [details, diff]
corrected patch for libapache.sh
The previous patch has some problems:
* 'tr' is missing in two places
* [[ and ]] are unnecessary, single [ and ] are enough
* lower and upper are switched in two places.
This patch works for me.
With the next regular php update after I reported the bug, it disappeared for me, so I concluded that it has already been fixed. Thus I was rather surprised that it seems to bite others, too, but as I can't reproduce it no more (php-select not called by the ebuild anymore), I can't help neither.
> I'd frankly like to see the whole thing messing with APACHE2_OPTS in
> the eclass go to /dev/null
On one hand, the ebuild even tells explicitly: "To enable php, you need to edit your /etc/conf.d/apache2 file and add '-D PHP5' to APACHE2_OPTS."
But on the other hand (as in my case), php was emerged as a dependency for phppgadmin. Later, I switched over to pgadmin3 and didn't immediately notice when php broke. For cases like that, php is for phppgadmin what wxGTK is for pgadmin3: something like just another GUI toolkit that the user is not particularly interested in. For cases like that, I consider automatic configuration and activation by the distribution as a convenience.
(In reply to comment #15) > Created an attachment (id=146051) [edit] > corrected patch for libapache.sh This patch works for me, too. In detail (for the "touch 'a'" see bug 212954): - without the patch: # grep "APACHE2_OPTS=" /etc/conf.d/apache2 APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D PHP5" # php-select apache2 php5 # touch 'a' # php-select apache2 *** warning: Apache is configured to use aaa5, but there is no matching mod_php installed on this machine # grep "APACHE2_OPTS=" /etc/conf.d/apache2 APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D php5" - with the patch applied: # rm -f a # grep "APACHE2_OPTS=" /etc/conf.d/apache2 APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D php5" # php-select apache2 *** warning: Apache is configured to use -d language -d manual -d ssl -d php5, but there is no matching mod_php installed on this machine # vi /etc/conf.d/apache2 # grep "APACHE2_OPTS=" /etc/conf.d/apache2 APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D PHP5" # php-select apache2 php5 # php-select apache2 php5 # grep "APACHE2_OPTS=" /etc/conf.d/apache2 APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D PHP5" (In reply to comment #17) ... > - without the patch: > # grep "APACHE2_OPTS=" /etc/conf.d/apache2 > APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D PHP5" > # php-select apache2 > php5 > # touch 'a' > # php-select apache2 > *** warning: Apache is configured to use aaa5, but there is no > matching mod_php installed on this machine Here I forgot to paste this command: # php-select apache2 php5 > # grep "APACHE2_OPTS=" /etc/conf.d/apache2 > APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D php5" <+CIA-50> hollow * gentoo-x86/app-admin/php-toolkit/ (ChangeLog files/php-select-modules/libapache.sh): <+CIA-50> fix #209535 *** Bug 216109 has been marked as a duplicate of this bug. *** According to bug 216109, this could be rated as a security configuration issue. Security, what do you think? To reproduce the issue, the CWD from where emerge is called has to contain a file that matches the [a-z] pattern. The important comment from bug 216109: ------- Comment #1 From Raphael Jacquot 2008-04-04 21:11:20 0000 [reply] ------- this is a major security issue. makes all php scripts appear as text to the client, where said client can access things like passwords and the like... bad, bad, bad On a QA note: Please release a new version of this package and move the distfiles to a different repository, and use those tarballs. Splitting distfiles and ebuilds allowsto edit the scripts without breaking stable versions. For security: Please revbump so people will reliably update to a fixed version. (In reply to comment #23) > On a QA note: > Please release a new version of this package and move the distfiles to a > different repository, and use those tarballs. Splitting distfiles and ebuilds > allowsto edit the scripts without breaking stable versions. > > For security: > Please revbump so people will reliably update to a fixed version. php-toolkit-1.0.1, which uses proper packaging / versioning, is in the tree now. I already marked it stable on amd64 but reverted the other keywords back to ~arch. Not sure if the latter action was the right thing, as the stable version would have lead to the same installed files if re-merged recently... Thanks, now for some proper keywording :-) Arches, please test and mark stable: =app-admin/php-toolkit-1.0.1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86" Already stabled : "amd64" Missing keywords: "alpha arm hppa ia64 ppc ppc64 release s390 sh sparc x86" Stable for HPPA. x86 stable ppc64 stable ppc stable alpha/ia64/sparc stable Fixed in release snapshot. GLSA 200804-19 |