diff options
| author |   Ole Markus With <olemarkus@gentoo.org> | 2011-03-14 17:13:18 +0000 |
|---|---|---|
| committer | Ole Markus With <olemarkus@gentoo.org> | 2011-03-14 17:13:18 +0000 |
| commit | acf24b1ef48d5e2b65650d7ecc02e3ecb4792c73 (patch) | |
| tree | 3e4152d50919b8c7fd134a7f5f4785ff40cb2475 /dev-php/PEAR-PEAR/files | |
| parent | Duplicate gnome-use-flag related stuff to allow eclass changes from overlay t... (diff) | |
| download | gentoo-2-acf24b1ef48d5e2b65650d7ecc02e3ecb4792c73.tar.gz gentoo-2-acf24b1ef48d5e2b65650d7ecc02e3ecb4792c73.tar.bz2 gentoo-2-acf24b1ef48d5e2b65650d7ecc02e3ecb4792c73.zip | |
Fixes security bug #356893
(Portage version: 2.1.9.41/cvs/Linux x86_64)
Diffstat (limited to 'dev-php/PEAR-PEAR/files')
| -rw-r--r-- | dev-php/PEAR-PEAR/files/symlink-attack-fix.patch | 126 |
1 files changed, 126 insertions, 0 deletions
diff --git a/dev-php/PEAR-PEAR/files/symlink-attack-fix.patch b/dev-php/PEAR-PEAR/files/symlink-attack-fix.patch new file mode 100644 index 000000000000..8101b2e592af --- /dev/null +++ b/dev-php/PEAR-PEAR/files/symlink-attack-fix.patch @@ -0,0 +1,126 @@ +Fixes issue with symlink attacks found in PEAR-PEAR-1.9.2 +Upstream bug: http://pear.php.net/bugs/bug.php?id=18056 +Gentoo bug: 356893 + +--- pear/pear-core/tags/PEAR-1.9.3/PEAR/REST.php 2011/03/08 22:46:27 309041 ++++ pear/pear-core/tags/PEAR-1.9.3/PEAR/REST.php 2011/03/08 23:16:30 309042 +@@ -228,59 +228,75 @@ + $cacheidfile = $d . 'rest.cacheid'; + $cachefile = $d . 'rest.cachefile'; + ++ if (!is_dir($cache_dir)) { ++ if (System::mkdir(array('-p', $cache_dir) === false)) { ++ return PEAR::raiseError("The value of config option cache_dir ($cache_dir) is not a directory and attempts to create the directory failed."); ++ } ++ } ++ + if ($cacheid === null && $nochange) { + $cacheid = unserialize(implode('', file($cacheidfile))); + } + +- if (is_link($cacheidfile)) { +- return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $cacheidfile . ' as it is symlinked to ' . readlink($cacheidfile) . ' - Possible symlink attack'); +- } ++ $idData = serialize(array( ++ 'age' => time(), ++ 'lastChange' => ($nochange ? $cacheid['lastChange'] : $lastmodified), ++ )); + +- if (is_link($cachefile)) { +- return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $cacheidfile . ' as it is symlinked to ' . readlink($cacheidfile) . ' - Possible symlink attack'); ++ $result = $this->saveCacheFile($cacheidfile, $idData); ++ if (PEAR::isError($result)) { ++ return $result; ++ } elseif ($nochange) { ++ return true; + } + +- $cacheidfile_fp = @fopen($cacheidfile, 'wb'); +- if (!$cacheidfile_fp) { +- if (is_dir($cache_dir)) { +- return PEAR::raiseError("The value of config option cache_dir ($cache_dir) is not a directory. "); ++ $result = $this->saveCacheFile($cachefile, serialize($contents)); ++ if (PEAR::isError($result)) { ++ if (file_exists($cacheidfile)) { ++ @unlink($cacheidfile); + } + +- System::mkdir(array('-p', $cache_dir)); +- $cacheidfile_fp = @fopen($cacheidfile, 'wb'); +- if (!$cacheidfile_fp) { +- return PEAR::raiseError("Could not open $cacheidfile for writing."); +- } ++ return $result; + } + +- if ($nochange) { +- fwrite($cacheidfile_fp, serialize(array( +- 'age' => time(), +- 'lastChange' => $cacheid['lastChange'], +- )) +- ); +- +- fclose($cacheidfile_fp); +- return true; +- } ++ return true; ++ } + +- fwrite($cacheidfile_fp, serialize(array( +- 'age' => time(), +- 'lastChange' => $lastmodified, +- )) +- ); +- fclose($cacheidfile_fp); ++ function saveCacheFile($file, $contents) ++ { ++ $len = strlen($contents); + +- $cachefile_fp = @fopen($cachefile, 'wb'); +- if (!$cachefile_fp) { +- if (file_exists($cacheidfile)) { +- @unlink($cacheidfile); ++ $cachefile_fp = @fopen($file, 'xb'); // x is the O_CREAT|O_EXCL mode ++ if ($cachefile_fp !== false) { // create file ++ if (fwrite($cachefile_fp, $contents, $len) < $len) { ++ fclose($cachefile_fp); ++ return PEAR::raiseError("Could not write $file."); ++ } ++ } else { // update file ++ $cachefile_lstat = lstat($file); ++ $cachefile_fp = @fopen($file, 'wb'); ++ if (!$cachefile_fp) { ++ return PEAR::raiseError("Could not open $file for writing."); ++ } ++ ++ $cachefile_fstat = fstat($cachefile_fp); ++ if ( ++ $cachefile_lstat['mode'] == $cachefile_fstat['mode'] && ++ $cachefile_lstat['ino'] == $cachefile_fstat['ino'] && ++ $cachefile_lstat['dev'] == $cachefile_fstat['dev'] && ++ $cachefile_fstat['nlink'] === 1 ++ ) { ++ if (fwrite($cachefile_fp, $contents, $len) < $len) { ++ fclose($cachefile_fp); ++ return PEAR::raiseError("Could not write $file."); ++ } ++ } else { ++ fclose($cachefile_fp); ++ $link = function_exists('readlink') ? readlink($file) : $file; ++ return PEAR::raiseError('SECURITY ERROR: Will not write to ' . $file . ' as it is symlinked to ' . $link . ' - Possible symlink attack'); + } +- +- return PEAR::raiseError("Could not open $cacheidfile for writing."); + } + +- fwrite($cachefile_fp, serialize($contents)); + fclose($cachefile_fp); + return true; + } +@@ -464,4 +480,4 @@ + + return $data; + } +-} ++} +\ No newline at end of file |