Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 476358 - =www-apache/mod_suphp-0.7.2 - Version bump.
Summary: =www-apache/mod_suphp-0.7.2 - Version bump.
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Library (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: No maintainer - Look at if you want to take care of it
Whiteboard: Pending removal: 2015-04-19
Keywords: PMASKED
Depends on:
Blocks: apache-2.4-stable
  Show dependency tree
Reported: 2013-07-10 08:17 UTC by devnull
Modified: 2015-04-26 12:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

mod_suphp-0.7.2.ebuild (file_476358.txt,2.42 KB, text/plain)
2013-07-10 12:43 UTC, devnull
suphp.conf (file_476358.txt,1.09 KB, text/plain)
2013-07-10 12:46 UTC, devnull
70_mod_suphp.conf (file_476358.txt,1.74 KB, text/plain)
2013-07-10 12:47 UTC, devnull
70_mod_suphp.conf (file_476358.txt,1.68 KB, text/plain)
2013-07-10 12:56 UTC, devnull
mod_suphp-0.7.2.ebuild (file_476358.txt,2.43 KB, text/plain)
2013-07-11 07:06 UTC, devnull

Note You need to log in before you can comment on or make changes to this bug.
Description devnull 2013-07-10 08:17:45 UTC
This release fixes a security issue that was introduced with the 0.7.0 release. This issue affected the source-highlighting feature and could only be exploited, if the suPHP_PHPPath option was set. In this case local users which could create or edit .htaccess files could possibly execute arbitrary code with the privileges of the user the webserver was running as.

Also please pay attention to the suphp.conf env_path. Documentation says:

env_path:  Content of the "PATH" environment variable. Set this to a safe value.
  The value has to be enclosed in quotes or colons have to be escaped with
  the backslash character.
  The default value is "/bin:/usr/bin".

The default config comes WITHOUT the quotes for the env_path causing php to only look at "/bin".

Reproducible: Always
Comment 1 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-07-10 08:23:45 UTC
This package has no maintainer so this bug may go unnoticed for a long time.
Gentoo has a dedicated team[1] for assisting users in maintaining orphaned
packages. If you are interested in maintaining this package, please contact 

Comment 2 devnull 2013-07-10 12:43:58 UTC
Created attachment 352998 [details]

modified inherit
add src_prepare
Comment 3 devnull 2013-07-10 12:46:16 UTC
Created attachment 353000 [details]

modified suphp.conf to cover my needs .. most of it should be wide applicable

- set loglevel to warn ( info )
- set docroot to /home ( /var/www/ )
- fix the env_path
- added handlers for PHP 5.2 - 5.5
Comment 4 devnull 2013-07-10 12:47:06 UTC
Created attachment 353002 [details]

Added Handlers 5.2 - 5.5
Comment 5 devnull 2013-07-10 12:56:06 UTC
Created attachment 353004 [details]

Added Handlers 5.2 - 5.5
Reassigned .php4 to Handler application/x-httpd-php5 . Dont support PHP4 anymore, last update 4 and a half year ago ..
Comment 6 devnull 2013-07-11 07:06:43 UTC
Created attachment 353060 [details]

fixed inherit class to support 
"confutils_require_one mode-force mode-owner mode-paranoid"

ebuild works fine for me on x86_64.
Comment 7 Pacho Ramos gentoo-dev 2014-12-17 16:38:14 UTC
Looks like killing this would be safer:
Comment 8 Pacho Ramos gentoo-dev 2015-04-26 12:57:05 UTC