Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 209535

Summary: app-admin/php-toolkit <1.0.1 php-select can lowercase APACHE2_OPTS="-D PHP5" (CVE-2008-1734)
Product: Gentoo Security Reporter: Toni Arnold <toni__arnold>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: arm, eXt, mbartoszkiewicz, php-bugs, prote, s390, sh+disabled, syscon780
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
emerge --info
none
diff -Nau php-5.2.5-r1.ebuild php-5.2.5_p20080206.ebuild
none
libapache.sh.patch
none
corrected patch for libapache.sh none

Description Toni Arnold 2008-02-10 14:44:27 UTC
emerging dev-lang/php-5.2.5_p20080206 lowercases APACHE2_OPTS="-D PHP5" in /etc/conf.d/apache2

This might be the cause for http://forums.gentoo.org/viewtopic-t-659543-highlight-php.html
"""
phpmyadmin opening "index.php" with text editor
After last Friday upgrade, I cannot log-in to mysql using phpmyadmin. When I try to open /localhost/phpmyadmin/index.php apache tries to open it with a text editor.
"""
I had basically the same problem after I needed to re-emerge php for an useflag change: Emerging php-5.2.5_p20080206 in fact disables php. The root cause seems to be the fact that the emerge lowercases "-D PHP5" in /etc/conf.d/apache2.

Steps to reproduce:
1. start with a working php installation (e.g. displaying <?php phpinfo(); ?>), ensure that /etc/conf.d/apache2 contains -D PHP5 in APACHE2_OPTS (To be precise, I have 2 such lines, the original line commented out and the hand-edited one being active).
2. emerge dev-lang/php-5.2.5_p20080206
3. issue /etc/init.d/apache2 stop and /etc/init.d/apache2 start (OT: /etc/init.d/apache2 restart sometimes leaves me with an apache not responding)

Observed behaviour:
The php program is displayed as raw text.
Cause: /etc/conf.d/apache2 now contains APACHE2_OPTS -D php5 (in both of my lines).

Expected behaviour:
Re-emerging php over an existing installation should not disable php by lowercasing "-D PHP5".

Workaround:
Manually replace in /etc/conf.d/apache2 "-D php5" with "-D PHP5" each time you emerge php.
Comment 1 Toni Arnold 2008-02-10 14:45:54 UTC
Created attachment 143120 [details]
emerge --info
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2008-02-10 14:48:41 UTC
dev-lang/php-5.2.5_p20080206 doesn't touch APACHE2_OPTS in /etc/conf.d/apache2 *at* *all*. 

Please, verify facts before filing bugs.
Comment 3 Toni Arnold 2008-02-10 15:15:51 UTC
Ok, verified a 3rd time (emerging php always takes some time):

[/etc/conf.d]# cp apache2 apache2.old
[/etc/conf.d]# emerge php
[/etc/conf.d]# diff -u apache2.old apache2
--- apache2.old 2008-02-10 15:55:45.000000000 +0100
+++ apache2     2008-02-10 16:10:43.000000000 +0100
@@ -32,8 +32,8 @@
 #  SSL_DEFAULT_VHOST  Enables default vhost for SSL (you should enable this
 #                     when you enable SSL)
 #
-#APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D MANUAL -D SSL -D SSL_DEFAULT_VHOST -D USERDIR -D PHP5"
-APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D MANUAL -D SSL -D SSL_DEFAULT_VHOST -D USERDIR -D PHP5"
+#APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D MANUAL -D SSL -D SSL_DEFAULT_VHOST -D USERDIR -D php5"
+APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D MANUAL -D SSL -D SSL_DEFAULT_VHOST -D USERDIR -D php5"

 # Extended options for advanced uses of Apache ONLY
 # You don't need to edit these unless you are doing crazy Apache stuff
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2008-02-10 15:20:39 UTC
Created attachment 143124 [details, diff]
diff -Nau php-5.2.5-r1.ebuild php-5.2.5_p20080206.ebuild

Right, lets see then... If you could point me to the line which 'lowercases' your -D PHP5 in the above diff, we'll be happy to fix it.

More specifically, the only thing that the ebuild/eclass does is calling php-select from app-admin/php-toolkit - which wasn't touched, hmmm.... since  25 Aug 2006.
Comment 5 Toni Arnold 2008-02-10 16:31:16 UTC
Innocense of p20080206 confirmed: I masked php-5.2.5_p20080206, emerged php-5.2.5-r1 and subsequently php-5.2.4_pre200708051230-r2 and always got the same problem. As I didn't have php in world, I upgraded indirectly, but I didn't use it for some time, so I can't say when exactly the problem begun.
     Wed May 30 11:41:44 2007 >>> dev-lang/php-5.2.2-r1
     Tue Oct  9 13:11:40 2007 >>> dev-lang/php-5.2.4_p20070914-r2
     Sun Feb 10 12:23:05 2008 >>> dev-lang/php-5.2.5_p20080206
My php-toolkit is
     Sat Sep  9 11:22:06 2006 >>> app-admin/php-toolkit-1.0-r2

This bug is a mystery to me, as it is so easily reproducible and should bite anyone using php.
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2008-02-10 16:37:34 UTC
Well, fix your APACHE2_OPTS, run php-select apache2 php5 and check again. If it breaks, post `echo php5 | tr [a-z] [A-Z]` output.
Comment 7 Toni Arnold 2008-02-10 17:16:32 UTC
[/etc/conf.d]# php-select apache2 php5
Apache conf.d file updated.  For this change to take effect, you
must restart the Apache webserver using this command:

/etc/init.d/apache2 restart

-> This doesn't change the correct apache2 file (except updating mtime). Its output appears in the emerge output, too.

Interactively, 
[/etc/conf.d]# echo php5 | tr [a-z] [A-Z]
PHP5
works as expected.
Comment 8 Jakub Moc (RETIRED) gentoo-dev 2008-02-10 19:32:18 UTC
Well, the above is exactly what the ebuild does. No idea, sorry.
Comment 9 Toni Arnold 2008-02-11 10:35:48 UTC
No idea, neither. Just emerged php twice on my 2nd gentoo box without any issue (it didn't touch /etc/conf.d/apache2, no output from php-config).

genlop -l of the former starts at Sat Mar 13 16:09:38 2004 and the latter at Wed Feb 21 11:34:09 2007, maybe I should sometime consider a 'findcruft' day...
Comment 10 Jakub Moc (RETIRED) gentoo-dev 2008-02-11 10:53:31 UTC
Created attachment 143194 [details, diff]
libapache.sh.patch

You can try this patch but I wouldn't be too optimistic... :P
Comment 11 Jakub Moc (RETIRED) gentoo-dev 2008-02-27 08:49:56 UTC
*** Bug 211599 has been marked as a duplicate of this bug. ***
Comment 12 Jakub Moc (RETIRED) gentoo-dev 2008-03-12 13:19:14 UTC
*** Bug 212954 has been marked as a duplicate of this bug. ***
Comment 13 Jakub Moc (RETIRED) gentoo-dev 2008-03-12 13:19:37 UTC
Anyone can test the patch, or... ?
Comment 14 Jakub Moc (RETIRED) gentoo-dev 2008-03-12 13:33:53 UTC
And BTW, I'd frankly like to see the whole thing messing with APACHE2_OPTS in the eclass go to /dev/null. No other apache module ebuild is going similar things, why should PHP? Users can enable the module themselves.
Comment 15 Michał Bartoszkiewicz 2008-03-13 17:43:52 UTC
Created attachment 146051 [details, diff]
corrected patch for libapache.sh

The previous patch has some problems:
 * 'tr' is missing in two places
 * [[ and ]] are unnecessary, single [ and ] are enough
 * lower and upper are switched in two places.
This patch works for me.
Comment 16 Toni Arnold 2008-03-14 13:13:31 UTC
With the next regular php update after I reported the bug, it disappeared for me, so I concluded that it has already been fixed. Thus I was rather surprised that it seems to bite others, too, but as I can't reproduce it no more (php-select not called by the ebuild anymore), I can't help neither.

> I'd frankly like to see the whole thing messing with APACHE2_OPTS in
> the eclass go to /dev/null
On one hand, the ebuild even tells explicitly: "To enable php, you need to edit your /etc/conf.d/apache2 file and add '-D PHP5' to APACHE2_OPTS."
But on the other hand (as in my case), php was emerged as a dependency for phppgadmin. Later, I switched over to pgadmin3 and didn't immediately notice when php broke. For cases like that, php is for phppgadmin what wxGTK is for pgadmin3: something like just another GUI toolkit that the user is not particularly interested in. For cases like that, I consider automatic configuration and activation by the distribution as a convenience.
Comment 17 Horst Prote 2008-03-19 12:48:01 UTC
(In reply to comment #15)
> Created an attachment (id=146051) [edit]
> corrected patch for libapache.sh
This patch works for me, too.
In detail (for the "touch 'a'" see bug 212954):

- without the patch:
# grep "APACHE2_OPTS=" /etc/conf.d/apache2
APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D PHP5"
# php-select apache2
php5
# touch 'a'
# php-select apache2
*** warning: Apache is configured to use aaa5, but there is no
             matching mod_php installed on this machine
# grep "APACHE2_OPTS=" /etc/conf.d/apache2
APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D php5"

- with the patch applied:
# rm -f a
# grep "APACHE2_OPTS=" /etc/conf.d/apache2
APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D php5"
# php-select apache2
*** warning: Apache is configured to use -d language -d manual -d ssl -d php5,
but there is no matching mod_php installed on this machine
# vi /etc/conf.d/apache2
# grep "APACHE2_OPTS=" /etc/conf.d/apache2
APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D PHP5"
# php-select apache2
php5
# php-select apache2 php5
# grep "APACHE2_OPTS=" /etc/conf.d/apache2
APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D PHP5"
Comment 18 Horst Prote 2008-03-19 12:51:52 UTC
(In reply to comment #17)
...
> - without the patch:
> # grep "APACHE2_OPTS=" /etc/conf.d/apache2
> APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D PHP5"
> # php-select apache2
> php5
> # touch 'a'
> # php-select apache2
> *** warning: Apache is configured to use aaa5, but there is no
>              matching mod_php installed on this machine

Here I forgot to paste this command:
# php-select apache2 php5

> # grep "APACHE2_OPTS=" /etc/conf.d/apache2
> APACHE2_OPTS="-D LANGUAGE -D MANUAL -D SSL -D php5"
Comment 19 Jakub Moc (RETIRED) gentoo-dev 2008-03-24 10:26:22 UTC
<+CIA-50> hollow * gentoo-x86/app-admin/php-toolkit/ (ChangeLog files/php-select-modules/libapache.sh): 
<+CIA-50> fix #209535
Comment 20 Christian Hoffmann (RETIRED) gentoo-dev 2008-04-05 22:53:49 UTC
*** Bug 216109 has been marked as a duplicate of this bug. ***
Comment 21 Christian Hoffmann (RETIRED) gentoo-dev 2008-04-05 22:55:44 UTC
According to bug 216109, this could be rated as a security configuration issue. Security, what do you think?
Comment 22 Robert Buchholz (RETIRED) gentoo-dev 2008-04-06 00:12:46 UTC
To reproduce the issue, the CWD from where emerge is called has to contain a file that matches the [a-z] pattern.

The important comment from bug 216109:
------- Comment #1 From Raphael Jacquot 2008-04-04 21:11:20 0000 [reply] -------

this is a major security issue. makes all php scripts appear as text to the
client, where said client can access things like passwords and the like... bad,
bad, bad
Comment 23 Robert Buchholz (RETIRED) gentoo-dev 2008-04-06 00:20:24 UTC
On a QA note:
Please release a new version of this package and move the distfiles to a different repository, and use those tarballs. Splitting distfiles and ebuilds allowsto edit the scripts without breaking stable versions.

For security:
Please revbump so people will reliably update to a fixed version.
Comment 24 Christian Hoffmann (RETIRED) gentoo-dev 2008-04-06 10:24:32 UTC
(In reply to comment #23)
> On a QA note:
> Please release a new version of this package and move the distfiles to a
> different repository, and use those tarballs. Splitting distfiles and ebuilds
> allowsto edit the scripts without breaking stable versions.
> 
> For security:
> Please revbump so people will reliably update to a fixed version.
php-toolkit-1.0.1, which uses proper packaging / versioning, is in the tree now. I already marked it stable on amd64 but reverted the other keywords back to ~arch. Not sure if the latter action was the right thing, as the stable version would have lead to the same installed files if re-merged recently...

Comment 25 Robert Buchholz (RETIRED) gentoo-dev 2008-04-06 12:02:51 UTC
Thanks, now for some proper keywording :-)

Arches, please test and mark stable:
=app-admin/php-toolkit-1.0.1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86"
Already stabled : "amd64"
Missing keywords: "alpha arm hppa ia64 ppc ppc64 release s390 sh sparc x86"
Comment 26 Jeroen Roovers gentoo-dev 2008-04-06 15:05:45 UTC
Stable for HPPA.
Comment 27 Markus Meier gentoo-dev 2008-04-06 16:24:24 UTC
x86 stable
Comment 28 Markus Rothe (RETIRED) gentoo-dev 2008-04-06 19:42:48 UTC
ppc64 stable
Comment 29 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-06 20:17:46 UTC
ppc stable
Comment 30 Raúl Porcel (RETIRED) gentoo-dev 2008-04-07 22:43:03 UTC
alpha/ia64/sparc stable
Comment 31 Peter Volkov (RETIRED) gentoo-dev 2008-04-08 05:48:19 UTC
Fixed in release snapshot.
Comment 32 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 23:42:51 UTC
GLSA 200804-19