Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 94063

Summary: dev-php/php includes tempfile vulnerable shtool
Product: Gentoo Security Reporter: Romang <zataz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: normal CC: php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A3 [ebuild+]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 93782    

Description Romang 2005-05-26 04:36:34 UTC
Hello,

PHP is using a vulnerable version off shtool.

Contact the vendor

Regards.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-05-26 04:46:52 UTC
Eric, as usual, please forward patch to upstream if not already done...

PHP herd, please apply patch from bug 93782 to the included shtool in PHP (and
maybe also mod_php and php-cgi) and bump...
Comment 2 Romang 2005-05-26 04:49:53 UTC
Hello,

Bug reported :

http://bugs.php.net/bug.php?id=33150

Regards.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-05-29 03:44:41 UTC
Hmm we should wait for a more complete patch. Stay tuned...
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-05-31 09:15:17 UTC
PHP upstream won't patch shtool, they're waiting on upstream.

PHP herd, what's your opinion on this ? Should we patch ourselves using 
attachment 60117 [details, diff] ?
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-05-31 10:18:12 UTC
security: if a lot of packages are going to be affected by this (I suspect that 
they will be, as shtool is widely used), how about putting a fix-it function in 
an eclass, so that can be called globally.
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2005-05-31 13:40:05 UTC
I was under the impression that we're on hold because there was a doubt whether
the patch we have was the right fix?  Please advise whether we have a patch that
we can apply or not.

Best regards,
Stu
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-05-31 13:50:47 UTC
Stuart: attachment 60117 [details, diff] *is* the new (and complete) patch. This is still a
patch of ours rather than the official upstream, but since upstream is
dead-silent we probably better patch it ourselves.

Robin: so far we identified the following packages :
dev-ml/ocaml-mysql (bug 93784)
net-nds/openldap (bug 94057)
and of course dev-util/shtool (bug 93782)

shtool has been patched. The others still have to be patched. I fear the eclass
solution might require difficult coordination between maintainers, but if you
think there are a lot more to unearth maybe it's the best solution...
Comment 8 Stuart Herbert (RETIRED) gentoo-dev 2005-06-01 14:07:16 UTC
Thanks for clearing that up.  I'll patch PHP4 and PHP5 on Thursday night.  
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 06:32:37 UTC
This Thursday ? :)
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 08:31:00 UTC
<taviso> Koon: afaict, php only uses mkdir and echo commands, neither makes a
tmpfile
<taviso> and install

I updated the PHP bug to tell them they are unaffected for the time being,
vulnerability lies in dead code.

Stuart: Sorry for the unnecessary (and repeated) pings...