Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 94063 - dev-php/php includes tempfile vulnerable shtool
Summary: dev-php/php includes tempfile vulnerable shtool
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [ebuild+]
Depends on:
Blocks: 93782
  Show dependency tree
Reported: 2005-05-26 04:36 UTC by Romang
Modified: 2005-06-10 08:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Romang 2005-05-26 04:36:34 UTC

PHP is using a vulnerable version off shtool.

Contact the vendor


Reproducible: Always
Steps to Reproduce:
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-05-26 04:46:52 UTC
Eric, as usual, please forward patch to upstream if not already done...

PHP herd, please apply patch from bug 93782 to the included shtool in PHP (and
maybe also mod_php and php-cgi) and bump...
Comment 2 Romang 2005-05-26 04:49:53 UTC

Bug reported :

Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-05-29 03:44:41 UTC
Hmm we should wait for a more complete patch. Stay tuned...
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-05-31 09:15:17 UTC
PHP upstream won't patch shtool, they're waiting on upstream.

PHP herd, what's your opinion on this ? Should we patch ourselves using 
attachment 60117 [details, diff] ?
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-05-31 10:18:12 UTC
security: if a lot of packages are going to be affected by this (I suspect that 
they will be, as shtool is widely used), how about putting a fix-it function in 
an eclass, so that can be called globally.
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2005-05-31 13:40:05 UTC
I was under the impression that we're on hold because there was a doubt whether
the patch we have was the right fix?  Please advise whether we have a patch that
we can apply or not.

Best regards,
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-05-31 13:50:47 UTC
Stuart: attachment 60117 [details, diff] *is* the new (and complete) patch. This is still a
patch of ours rather than the official upstream, but since upstream is
dead-silent we probably better patch it ourselves.

Robin: so far we identified the following packages :
dev-ml/ocaml-mysql (bug 93784)
net-nds/openldap (bug 94057)
and of course dev-util/shtool (bug 93782)

shtool has been patched. The others still have to be patched. I fear the eclass
solution might require difficult coordination between maintainers, but if you
think there are a lot more to unearth maybe it's the best solution...
Comment 8 Stuart Herbert (RETIRED) gentoo-dev 2005-06-01 14:07:16 UTC
Thanks for clearing that up.  I'll patch PHP4 and PHP5 on Thursday night.  
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 06:32:37 UTC
This Thursday ? :)
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 08:31:00 UTC
<taviso> Koon: afaict, php only uses mkdir and echo commands, neither makes a
<taviso> and install

I updated the PHP bug to tell them they are unaffected for the time being,
vulnerability lies in dead code.

Stuart: Sorry for the unnecessary (and repeated) pings...