Control: reopen -1 2015-11-08 7:25 GMT+01:00 Salvatore Bonaccorso <car...@debian.org>: > Hi Mathieu,
Hi Salvatore, > On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote: >> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <car...@debian.org>: >> > Hi Mathieu, >> > >> > On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote: >> >> Version: 5.3.6-1 >> >> >> >> Hello, >> >> >> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since >> >> 1.9.2 >> > >> > is this true? I just did a quick check (not a full analysis) and it >> > still seems to use /tmp/pear. >> >> Yes, it does. But it checks for symlinks and truncate the file. >> >> This even introduced a regression on Windows: >> https://pear.php.net/bugs/bug.php?id=18834 >> >> > Can you check if the upstream bug report might be pointing to the >> > wrong fixing version? >> >> This is: >> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a >> (which is in 1.9.2) >> >> And further improvement in: >> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876 >> (which is in 1.9.3) >> >> > (I have reopened the bugs for now) >> >> Can we close it then? > > Well, IMHO no, that is not correct. The issues are still there even > you cannot globber anymore someone else files. A can block another > user this way. I didn't want to close, it, but my Reply-to-all went to the -done addresses. > > As user foo do: > > foo@sid:~$ pear download HTML_Common2 > downloading HTML_Common2-2.1.1.tgz ... > Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes) > .....done: 8,604 bytes > File /home/foo/HTML_Common2-2.1.1.tgz downloaded > > > then replace the cache files with symlinks (e.g. to files in home of > user bar, since he want's to try to globber these files). bar now is > unable to pear download HTML_Common2: > > bar@sid:~$ pear download HTML_Common2 > > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on > line 203 > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in > /usr/share/php/PEAR/REST.php on line 203 > No releases available for package "pear.php.net/HTML_Common2" > download failed > bar@sid:~$ ls > bar@sid:~$ > > or as root > > root@sid:~# pear download HTML_Common2 > > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php > on line 203 > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in > /usr/share/php/PEAR/REST.php on line 203 > No releases available for package "pear.php.net/HTML_Common2" > download failed > root@sid:~# pear install HTML_Common2 > > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php > on line 203 > PHP Notice: unserialize(): Error at offset 0 of 220 bytes in > /usr/share/php/PEAR/REST.php on line 203 > No releases available for package "pear.php.net/HTML_Common2" > install failed > root@sid:~# > > So again, I don't think the issues with unsafe use of /tmp are fixed > correctly and the bugs should not be closed. PHP maintainers, what do > you think (Ondřej cc'ed)? Which pear version are you testing? Note that I'll be the php-pear maintainer, once the new package [1] is finished. We should test against this latest 1.10 and report upstream is the bug remain. [1]: anonscm.debian.org/cgit/pkg-php/php-pear.git Regards -- Mathieu
