Bug#286225: marked as done (apache2: environment corruption bug)

To: Adam Conrad <adconrad@0c3.net>
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Bug#286225: marked as done (apache2: environment corruption bug)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 07 Feb 2005 03:48:45 -0800
Message-id: <[🔎] handler.286225.D286225.110777637931756.ackdone@bugs.debian.org>
In-reply-to: <E1Cy7AJ-00077I-00@newraff.debian.org>
References: <E1Cy7AJ-00077I-00@newraff.debian.org> <20041218153123.2E06F1840E@hitchhiker.hong.h42.net>
Your message dated Mon, 07 Feb 2005 06:34:51 -0500
with message-id <E1Cy7AJ-00077I-00@newraff.debian.org>
and subject line Bug#286225: fixed in php4 4:4.3.10-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Dec 2004 15:31:46 +0000
>From le-debianbugs@biz.h42.de Sat Dec 18 07:31:46 2004
Return-path: <le-debianbugs@biz.h42.de>
Received: from mail.aurisp.de [81.169.158.23] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CfgYc-00068t-00; Sat, 18 Dec 2004 07:31:46 -0800
Received: from localhost (localhost [127.0.0.1])
	by mail.aurisp.de (Postfix) with ESMTP id 6C59B8064
	for <submit@bugs.debian.org>; Sat, 18 Dec 2004 16:31:44 +0100 (CET)
Received: from mail.aurisp.de ([127.0.0.1])
	by localhost (mail.aurisp.de [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id 06663-04; Sat, 18 Dec 2004 16:31:39 +0100 (CET)
Received: from hitchhiker.hong.h42.net (cl-72.ham-01.de.sixxs.net [IPv6:2001:6f8:900:47::2])
	by mail.aurisp.de (Postfix) with ESMTP id 922528082;
	Sat, 18 Dec 2004 16:31:39 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by hitchhiker.hong.h42.net (Postfix) with ESMTP id D598518427;
	Sat, 18 Dec 2004 16:31:37 +0100 (CET)
Received: from hitchhiker.hong.h42.net ([127.0.0.1])
	by localhost (hitchhiker.hong.h42.net [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id 22508-02; Sat, 18 Dec 2004 16:31:26 +0100 (CET)
Received: by hitchhiker.hong.h42.net (Postfix, from userid 1000)
	id 2E06F1840E; Sat, 18 Dec 2004 16:31:23 +0100 (CET)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Lars Ehrhardt <le-debianbugs@biz.h42.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2: environment corruption bug
X-Mailer: reportbug 3.2
Date: Sat, 18 Dec 2004 16:31:23 +0100
Message-Id: <20041218153123.2E06F1840E@hitchhiker.hong.h42.net>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at hong.h42.net
X-Virus-Scanned: by amavisd-maia-1.0.0-rc5 (Debian) at aurisp.de
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: apache2
Version: 2.0.52-3
Severity: important

Hi,

we've reported this earlier and I thought that a php4 update fixed this
problem. Unfortunately, the bug reappeared this week again.

It seems that there is an environment corruption bug.

Minimal testcase:

Create a php file, umask.php, with:

------------------ snipp --------------------------
<?php
umask(0700);
?>
------------------ snipp --------------------------

Invoke w3m or another browser to open this file
http://<hostname>/umask.php

create a cgi file, test.pl, with:

------------------ snipp --------------------------
#!/usr/bin/perl -w

$counter=`date`;
open(TMP,">/tmp/test.log.$counter");
print TMP "foobar\n\n";
close TMP;
------------------ snipp --------------------------

Request this cgi script a couple of times, e.g:

while true;do wget http://<hostname>/cgi-bin/test.pl;done

The output will look like this:
-rw-r--r--  1 www-data www-data     7 Dec 18 15:27 test.log.Sat Dec 18
15:27:50 CET 2004
-r------w-  1 www-data www-data     7 Dec 18 15:27 test.log.Sat Dec 18
15:27:51 CET 2004

The permissions on the second file are wrong. This behaviour causes all
sorts of funny side effects here. 

The cgi script is probably reusing the apache child environment of the
php script and therefore creates the file with wrong permissions.

We are using the debian testing php4 packages, 4.3.9.

I am not sure, if this is a bug in apache2 or in php4, though. So, feel
free to reassign, if necessary.

Cheers,

Lars

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.9-ac15
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.0.52-3   Traditional model for Apache2

-- no debconf information

---------------------------------------
Received: (at 286225-close) by bugs.debian.org; 7 Feb 2005 11:39:39 +0000
>From katie@ftp-master.debian.org Mon Feb 07 03:39:39 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Cy7Ex-0008G1-00; Mon, 07 Feb 2005 03:39:39 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1Cy7AJ-00077I-00; Mon, 07 Feb 2005 06:34:51 -0500
From: Adam Conrad <adconrad@0c3.net>
To: 286225-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#286225: fixed in php4 4:4.3.10-3
Message-Id: <E1Cy7AJ-00077I-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Mon, 07 Feb 2005 06:34:51 -0500
Delivered-To: 286225-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 3

Source: php4
Source-Version: 4:4.3.10-3

We believe that the bug you reported is fixed in the latest version of
php4, which is due to be installed in the Debian FTP archive:

caudium-php4_4.3.10-3_i386.deb
  to pool/main/p/php4/caudium-php4_4.3.10-3_i386.deb
caudium-php4_4.3.10-3_powerpc.deb
  to pool/main/p/php4/caudium-php4_4.3.10-3_powerpc.deb
libapache-mod-php4_4.3.10-3_i386.deb
  to pool/main/p/php4/libapache-mod-php4_4.3.10-3_i386.deb
libapache-mod-php4_4.3.10-3_powerpc.deb
  to pool/main/p/php4/libapache-mod-php4_4.3.10-3_powerpc.deb
libapache2-mod-php4_4.3.10-3_i386.deb
  to pool/main/p/php4/libapache2-mod-php4_4.3.10-3_i386.deb
libapache2-mod-php4_4.3.10-3_powerpc.deb
  to pool/main/p/php4/libapache2-mod-php4_4.3.10-3_powerpc.deb
php4-cgi_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-cgi_4.3.10-3_i386.deb
php4-cgi_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-cgi_4.3.10-3_powerpc.deb
php4-cli_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-cli_4.3.10-3_i386.deb
php4-cli_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-cli_4.3.10-3_powerpc.deb
php4-common_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-common_4.3.10-3_i386.deb
php4-common_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-common_4.3.10-3_powerpc.deb
php4-curl_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-curl_4.3.10-3_i386.deb
php4-curl_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-curl_4.3.10-3_powerpc.deb
php4-dev_4.3.10-3_all.deb
  to pool/main/p/php4/php4-dev_4.3.10-3_all.deb
php4-domxml_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-domxml_4.3.10-3_i386.deb
php4-domxml_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-domxml_4.3.10-3_powerpc.deb
php4-gd_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-gd_4.3.10-3_i386.deb
php4-gd_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-gd_4.3.10-3_powerpc.deb
php4-imap_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-imap_4.3.10-3_i386.deb
php4-imap_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-imap_4.3.10-3_powerpc.deb
php4-ldap_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-ldap_4.3.10-3_i386.deb
php4-ldap_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-ldap_4.3.10-3_powerpc.deb
php4-mcal_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-mcal_4.3.10-3_i386.deb
php4-mcal_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-mcal_4.3.10-3_powerpc.deb
php4-mhash_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-mhash_4.3.10-3_i386.deb
php4-mhash_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-mhash_4.3.10-3_powerpc.deb
php4-mysql_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-mysql_4.3.10-3_i386.deb
php4-mysql_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-mysql_4.3.10-3_powerpc.deb
php4-odbc_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-odbc_4.3.10-3_i386.deb
php4-odbc_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-odbc_4.3.10-3_powerpc.deb
php4-pear_4.3.10-3_all.deb
  to pool/main/p/php4/php4-pear_4.3.10-3_all.deb
php4-recode_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-recode_4.3.10-3_i386.deb
php4-recode_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-recode_4.3.10-3_powerpc.deb
php4-snmp_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-snmp_4.3.10-3_i386.deb
php4-snmp_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-snmp_4.3.10-3_powerpc.deb
php4-sybase_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-sybase_4.3.10-3_i386.deb
php4-sybase_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-sybase_4.3.10-3_powerpc.deb
php4-xslt_4.3.10-3_i386.deb
  to pool/main/p/php4/php4-xslt_4.3.10-3_i386.deb
php4-xslt_4.3.10-3_powerpc.deb
  to pool/main/p/php4/php4-xslt_4.3.10-3_powerpc.deb
php4_4.3.10-3.diff.gz
  to pool/main/p/php4/php4_4.3.10-3.diff.gz
php4_4.3.10-3.dsc
  to pool/main/p/php4/php4_4.3.10-3.dsc
php4_4.3.10-3_all.deb
  to pool/main/p/php4/php4_4.3.10-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286225@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated php4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  6 Feb 2005 05:32:11 -0700
Source: php4
Binary: php4-cgi php4-sybase php4-recode libapache-mod-php4 php4-cli php4-dev libapache2-mod-php4 php4-snmp php4-odbc php4-xslt php4-mysql php4-domxml php4-gd php4-ldap php4-imap php4-common php4-curl php4 php4-pear php4-mcal caudium-php4 php4-mhash
Architecture: all i386 powerpc source 
Version: 4:4.3.10-3
Distribution: unstable
Urgency: medium
Maintainer: Adam Conrad <adconrad@0c3.net>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description: 
 caudium-php4 - server-side, HTML-embedded scripting language (caudium module)
 libapache-mod-php4 - server-side, HTML-embedded scripting language (apache 1.3 module)
 libapache2-mod-php4 - server-side, HTML-embedded scripting language (apache 2.0 module)
 php4-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php4-cli   - command-line interpreter for the php4 scripting language
 php4-common - Common files for packages built from the php4 source
 php4-curl  - CURL module for php4
 php4-domxml - XMLv2 module for php4
 php4-gd    - GD module for php4
 php4-imap  - IMAP module for php4
 php4-ldap  - LDAP module for php4
 php4-mcal  - MCAL calendar module for php4
 php4-mhash - MHASH module for php4
 php4-mysql - MySQL module for php4
 php4-odbc  - ODBC module for php4
 php4-recode - Character recoding module for php4
 php4-snmp  - SNMP module for php4
 php4-sybase - Sybase / MS SQL Server module for php4
 php4-xslt  - XSLT module for php4
Closes: 264015 278212 286225 288534 288672 288679 288909 291392 291410
Changes: 
 php4 (4:4.3.10-3) unstable; urgency=medium
 .
   * Update to CVS, as of 200502060530 (closes: #288672)
     - File uploads with "'" in them aren't cut off anymore (closes: #288679)
     - unserialize() is no longer ridiculously slow (closes: #291392)
     - Add 000-200502060530_CVS.patch
     - Adapt debian/rules to the realities of upstream's new buildconf
     - Add 033-we_WANT_libtool.patch, to force relibtoolizing with Debian's
       libtool, rather than using upstream's broken bundled libtool
     - Drop 031_zend_strtod_1.1.2.10.patch and 032_zend_strtod_debian.patch
     - Adjust patches for offsets and fuzz
     - Force --with-pic, as policy demands it, and the build system doesn't
   * Added several patches, yanked from the Fedora PHP sources:
     - 034-apache2_umask_fix.patch, fixes umask not being properly reset
       after each request (closes: #286225)
     - 036-fd_setsize_fix.patch, fixes misuse of FD_SET()
     - 038-round_test_fix.patch, makes the rounding test work on gcc-3.3
   * Removed --with-libedit, as being able to background php is more useful,
     in my opinion, than using readline functions (see #286356)
   * Include zip support in all SAPIs (closes: #288534, #288909)
   * Enable Zend Thread Safety for all SAPIs, meaning that our modules
     are now compiled for ZTS APIs as well.  (closes: #278212, #264015)
     - Make sure caudium-php4 now provides phpapi-$(ver), and modules can
       be configured with the caudium SAPI.
     - Add 039-reentrant_libs.patch to link to the reentrant versions of
       libldap and libmysqlclient
   * Stop suggesting phpdoc, as it's undistributable anyway.
   * Add 040-curl_open_basedir.patch, to make php4-curl respect the value
     of open_basedir, thanks to Martin Pitt (closes: #291410)
   * Add 041-shut_up_snmp.patch, to prevent libsnmp5 from attempting (and
     failing) to write persistent data every time it shuts down.  Ugh.
Files: 
 0235dc27a821dcbfd125bbe8a28de94f 1679786 web optional php4-cli_4.3.10-3_powerpc.deb
 02d13fa04398cb0f5ad3238869b669f9 27668 web optional php4-odbc_4.3.10-3_i386.deb
 04e8b767f856111b606d8f4531a16653 38792 web optional php4-imap_4.3.10-3_powerpc.deb
 050bb39c66893a67798861d3be7737bb 163578 web optional php4-common_4.3.10-3_powerpc.deb
 0904140269e197c60d703c73dfc0c50d 23986 web optional php4-sybase_4.3.10-3_powerpc.deb
 1679f347deede4eed2ffe22bf4ebb875 163540 web optional php4-common_4.3.10-3_i386.deb
 188774c5d0414bd786173af371e51789 743756 web optional php4_4.3.10-3.diff.gz
 1a0eeb93290c8abbdc1d892dbd8ec3b8 1642072 web optional libapache2-mod-php4_4.3.10-3_i386.deb
 1a4b90442839741e4e7c3c07ad3703fe 21924 web optional php4-ldap_4.3.10-3_powerpc.deb
 1d4c1e68b92e089bffcc44c461ffc42f 1695270 web optional libapache-mod-php4_4.3.10-3_powerpc.deb
 22034bb585c4409bae4b7628747e348f 349560 devel optional php4-dev_4.3.10-3_all.deb
 2450109b8e0718c46fba61c5c5c2a6fd 29656 web optional php4-odbc_4.3.10-3_powerpc.deb
 2f8de8ab714ad126ee3c2bde99aae7fa 18548 web optional php4-xslt_4.3.10-3_powerpc.deb
 3848647260ccc77e14b99b849c371c41 21892 web optional php4-sybase_4.3.10-3_i386.deb
 3ed38f3008c9fc0aa1cdf140cdd3e731 17884 web optional php4-mcal_4.3.10-3_i386.deb
 3f6f207d435aafaf9f50b90a2ca933f9 38112 web optional php4-imap_4.3.10-3_i386.deb
 5a9464d930731577a9ef76c90c7c2778 3267714 web optional php4-cgi_4.3.10-3_i386.deb
 64ebb2341f935118d0e647dbf4930f88 249906 web optional php4-pear_4.3.10-3_all.deb
 75653d01536d7e78c8d098af5c7fad9e 17918 web optional php4-curl_4.3.10-3_i386.deb
 78fd7a6e240d75118004e554ba250ae7 9676 web optional php4-mhash_4.3.10-3_powerpc.deb
 7edcdd682532b24889e2f1135f3dd536 1638584 web optional caudium-php4_4.3.10-3_i386.deb
 cfa5e8fe8c157eb04758cc604dbb79dc 1707 web optional php4_4.3.10-3.dsc
 8a3d12010fe9ba3751a7ce9959ea4af8 23948 web optional php4-mysql_4.3.10-3_powerpc.deb
 8c6dae2a6a2266422a84d8c33a43f3b1 32786 web optional php4-gd_4.3.10-3_i386.deb
 931019210f1628fe7b1c20a63a27d51d 13414 web optional php4-snmp_4.3.10-3_i386.deb
 9667403ca2c3d56ed826a27508efe46e 1693116 web optional libapache2-mod-php4_4.3.10-3_powerpc.deb
 9917d6a2f476665445143b392d8c3013 15244 web optional php4-snmp_4.3.10-3_powerpc.deb
 9ec4dc2e28aefc12bc787598ed2d7f4b 7982 web optional php4-mhash_4.3.10-3_i386.deb
 a29e978999dc50cda94767e08dcdbdd0 19990 web optional php4-mcal_4.3.10-3_powerpc.deb
 a6e9e918446f372ef1f7f146bb99deca 19830 web optional php4-curl_4.3.10-3_powerpc.deb
 af362440ac8586cfa9bf0f6e1e906682 38334 web optional php4-domxml_4.3.10-3_i386.deb
 b9bd6a3e5bf38c67829c308b880a4fa9 1328 web optional php4_4.3.10-3_all.deb
 c132e3bf5a5b0f937491951342d0ee4d 7798 web optional php4-recode_4.3.10-3_i386.deb
 c3571ab43492f31a58c08699b53f8cc0 1643740 web optional libapache-mod-php4_4.3.10-3_i386.deb
 c5d7a38f23f8b91257e7670d6e24a1ac 9388 web optional php4-recode_4.3.10-3_powerpc.deb
 c7fbbdff433c64b9571d28b5f3152a3d 35336 web optional php4-gd_4.3.10-3_powerpc.deb
 c9d7bebb9f392f5b3bc1222ce5800ae6 20236 web optional php4-ldap_4.3.10-3_i386.deb
 d8f7f687c22147e5b408167394e19e42 16670 web optional php4-xslt_4.3.10-3_i386.deb
 e17393db3346da81a4a8430982459500 40026 web optional php4-domxml_4.3.10-3_powerpc.deb
 e655825259073f699da5cf48e5256d29 22582 web optional php4-mysql_4.3.10-3_i386.deb
 ee4ac9ff487039d8f9f56909a630a5f1 3347194 web optional php4-cgi_4.3.10-3_powerpc.deb
 f401315647e53a1138acfeac874149f3 1689340 web optional caudium-php4_4.3.10-3_powerpc.deb
 fc7008cb97dfe57a6854f404b7619821 1638894 web optional php4-cli_4.3.10-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCB01wvjztR8bOoMkRAgUcAKCN7S87xCr/S6FhJGRCWtb2L3iHIwCg0mKM
XnSmmkCSAPgfj00tc9LECPA=
=Auqt
-----END PGP SIGNATURE-----
Reply to:
Prev by Date: 政府の調査員となって稼ぐ方法
Next by Date: apache2 not processing php
Previous by thread: 政府の調査員となって稼ぐ方法
Next by thread: apache2 not processing php
Index(es):
- Date
- Thread