Debian Bug report logs - #267720
php4-common: Package breaks sessions (wrong permissions)

version graph

Package: php4-common; Maintainer for php4-common is (unknown);

Reported by: Caveman <[email protected]>

Date: Tue, 24 Aug 2004 02:33:03 UTC

Severity: important

Found in version 4:4.3.8-7

Fixed in version php4/4:4.3.8-8

Done: Adam Conrad <[email protected]>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], Adam Conrad <[email protected]>:
Bug#267720; Package php4-common. (full text, mbox, link).

Acknowledgement sent to Caveman <[email protected]>:
New Bug report received and forwarded. Copy sent to Adam Conrad <[email protected]>. (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Caveman <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: php4-common: Package breaks sessions (wrong permissions)
Date: Tue, 24 Aug 2004 12:21:42 +1000
Package: php4-common
Version: 4:4.3.8-7
Severity: important

the php4-common package seems to set the wrong permissions on the
/var/lib/php4 folder, which in turn breaks sessions as this is where
session data is written.
chmod a+rw /var/lib/php4 fixes the problem.

Caveman


-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1
Locale: LANG=C, LC_CTYPE=C

Information forwarded to [email protected], Adam Conrad <[email protected]>:
Bug#267720; Package php4-common. (full text, mbox, link).

Acknowledgement sent to "Adam Conrad" <[email protected]>:
Extra info received and forwarded to list. Copy sent to Adam Conrad <[email protected]>. (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

From: "Adam Conrad" <[email protected]>
To: "'Caveman'" <[email protected]>, <[email protected]>
Subject: RE: Bug#267720: php4-common: Package breaks sessions (wrong permissions)
Date: Tue, 24 Aug 2004 18:32:16 +1000
Caveman wrote:
> 
> the php4-common package seems to set the wrong permissions on the
> /var/lib/php4 folder, which in turn breaks sessions as this is where
> session data is written.
> chmod a+rw /var/lib/php4 fixes the problem.

... and allows anyone on a multiuser machine to hijack sessions
belonging to other users -- the specific reason we moved sessions out of
/tmp in the first place.  The correct fix for this is to just stop PHP's
garbage collector from doing its thing, which I will be doing in the
next upload.  We have a cronjob instead (/etc/cron.d/php4) which does
garbage collection as root, solving the issue.

... Adam

Reply sent to Adam Conrad <[email protected]>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Caveman <[email protected]>:
Bug acknowledged by developer. (full text, mbox, link).

Message #15 received at [email protected] (full text, mbox, reply):

From: Adam Conrad <[email protected]>
To: [email protected]
Subject: Bug#267720: fixed in php4 4:4.3.8-8
Date: Tue, 24 Aug 2004 09:02:13 -0400
Source: php4
Source-Version: 4:4.3.8-8

We believe that the bug you reported is fixed in the latest version of
php4, which is due to be installed in the Debian FTP archive:

caudium-php4_4.3.8-8_i386.deb
  to pool/main/p/php4/caudium-php4_4.3.8-8_i386.deb
caudium-php4_4.3.8-8_powerpc.deb
  to pool/main/p/php4/caudium-php4_4.3.8-8_powerpc.deb
libapache-mod-php4_4.3.8-8_i386.deb
  to pool/main/p/php4/libapache-mod-php4_4.3.8-8_i386.deb
libapache-mod-php4_4.3.8-8_powerpc.deb
  to pool/main/p/php4/libapache-mod-php4_4.3.8-8_powerpc.deb
libapache2-mod-php4_4.3.8-8_i386.deb
  to pool/main/p/php4/libapache2-mod-php4_4.3.8-8_i386.deb
libapache2-mod-php4_4.3.8-8_powerpc.deb
  to pool/main/p/php4/libapache2-mod-php4_4.3.8-8_powerpc.deb
php4-cgi_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-cgi_4.3.8-8_i386.deb
php4-cgi_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-cgi_4.3.8-8_powerpc.deb
php4-cli_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-cli_4.3.8-8_i386.deb
php4-cli_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-cli_4.3.8-8_powerpc.deb
php4-common_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-common_4.3.8-8_i386.deb
php4-common_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-common_4.3.8-8_powerpc.deb
php4-curl_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-curl_4.3.8-8_i386.deb
php4-curl_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-curl_4.3.8-8_powerpc.deb
php4-dev_4.3.8-8_all.deb
  to pool/main/p/php4/php4-dev_4.3.8-8_all.deb
php4-domxml_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-domxml_4.3.8-8_i386.deb
php4-domxml_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-domxml_4.3.8-8_powerpc.deb
php4-gd_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-gd_4.3.8-8_i386.deb
php4-gd_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-gd_4.3.8-8_powerpc.deb
php4-imap_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-imap_4.3.8-8_i386.deb
php4-imap_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-imap_4.3.8-8_powerpc.deb
php4-ldap_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-ldap_4.3.8-8_i386.deb
php4-ldap_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-ldap_4.3.8-8_powerpc.deb
php4-mcal_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-mcal_4.3.8-8_i386.deb
php4-mcal_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-mcal_4.3.8-8_powerpc.deb
php4-mhash_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-mhash_4.3.8-8_i386.deb
php4-mhash_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-mhash_4.3.8-8_powerpc.deb
php4-mysql_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-mysql_4.3.8-8_i386.deb
php4-mysql_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-mysql_4.3.8-8_powerpc.deb
php4-odbc_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-odbc_4.3.8-8_i386.deb
php4-odbc_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-odbc_4.3.8-8_powerpc.deb
php4-pear_4.3.8-8_all.deb
  to pool/main/p/php4/php4-pear_4.3.8-8_all.deb
php4-recode_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-recode_4.3.8-8_i386.deb
php4-recode_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-recode_4.3.8-8_powerpc.deb
php4-snmp_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-snmp_4.3.8-8_i386.deb
php4-snmp_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-snmp_4.3.8-8_powerpc.deb
php4-sybase_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-sybase_4.3.8-8_i386.deb
php4-sybase_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-sybase_4.3.8-8_powerpc.deb
php4-xslt_4.3.8-8_i386.deb
  to pool/main/p/php4/php4-xslt_4.3.8-8_i386.deb
php4-xslt_4.3.8-8_powerpc.deb
  to pool/main/p/php4/php4-xslt_4.3.8-8_powerpc.deb
php4_4.3.8-8.diff.gz
  to pool/main/p/php4/php4_4.3.8-8.diff.gz
php4_4.3.8-8.dsc
  to pool/main/p/php4/php4_4.3.8-8.dsc
php4_4.3.8-8_all.deb
  to pool/main/p/php4/php4_4.3.8-8_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <[email protected]> (supplier of updated php4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 24 Aug 2004 03:09:43 -0600
Source: php4
Binary: php4-cgi php4-sybase php4-recode libapache-mod-php4 php4-cli php4-dev libapache2-mod-php4 php4-snmp php4-odbc php4-xslt php4-mysql php4-domxml php4-gd php4-ldap php4-imap php4-common php4-curl php4 php4-pear php4-mcal caudium-php4 php4-mhash
Architecture: all i386 powerpc source 
Version: 4:4.3.8-8
Distribution: unstable
Urgency: low
Maintainer: Adam Conrad <[email protected]>
Changed-By: Adam Conrad <[email protected]>
Description: 
 caudium-php4 - server-side, HTML-embedded scripting language (caudium module)
 libapache-mod-php4 - server-side, HTML-embedded scripting language (apache 1.3 module)
 libapache2-mod-php4 - server-side, HTML-embedded scripting language (apache 2.0 module)
 php4-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php4-cli   - command-line interpreter for the php4 scripting language
 php4-common - Common files for packages built from the php4 source
 php4-curl  - CURL module for php4
 php4-domxml - XMLv2 module for php4
 php4-gd    - GD module for php4
 php4-imap  - IMAP module for php4
 php4-ldap  - LDAP module for php4
 php4-mcal  - MCAL calendar module for php4
 php4-mhash - MHASH module for php4
 php4-mysql - MySQL module for php4
 php4-odbc  - ODBC module for php4
 php4-recode - Character recoding module for php4
 php4-snmp  - SNMP module for php4
 php4-sybase - Sybase / MS SQL Server module for php4
 php4-xslt  - XSLT module for php4
Closes: 267720
Changes: 
 php4 (4:4.3.8-8) unstable; urgency=low
 .
   * Default session.save_path is now compiled in to php4, allowing
     us to, again, comment out the value in php.ini.
   * Comment out session.gc_probability in the default php.ini, as we've
     now compiled in a default of 0, allowing the cronjob to do the
     garbage collection for us instead. (closes: #267720)
   * Make the 5 SAPI postinsts smarter, allowing them to poke around in
     people's configs and make sure that sessions won't be broken
     after we upgraded them from a perfectly functional system.
   * Add 022-4.3.9_sprintf_fixes.patch, fixing incorrect formatting of
     floats with padding by sprintf().
   * Make php4-common arch:any, and loosen up some of the other any->all
     package dependencies to make sure binNMUs won't break.
Files: 
 0ae47e8a1ec9ae794c7e84f7e8b68d9c 31884 web optional php4-gd_4.3.8-8_i386.deb
 0b555369510a27e2c028f51a2d51b80f 87290 web optional php4_4.3.8-8_all.deb
 0cdfe01ff4738b4c76488dee9720b196 35368 web optional php4-imap_4.3.8-8_i386.deb
 165fea66ad8cc4e6e83005a6e2d20c81 1555796 web optional php4-cli_4.3.8-8_i386.deb
 26ad483a3d228b997afd8fb9762a7e9e 18892 web optional php4-curl_4.3.8-8_powerpc.deb
 283c4845bc4a91b9ed6c4a01dbdbddd7 1719388 web optional caudium-php4_4.3.8-8_powerpc.deb
 312508a90192a4718255ffd05805839d 21096 web optional php4-sybase_4.3.8-8_i386.deb
 33d46cfde8ca8e77941bfc64a39261ea 1538654 web optional php4-cgi_4.3.8-8_i386.deb
 35528271819164ba9632b41b84e9e5a6 331926 web optional php4-pear_4.3.8-8_all.deb
 365347b4bc28d42d5194c63b0336f94b 16138 web optional php4-xslt_4.3.8-8_i386.deb
 3a4db1b54a663dd609051c4ee46a5e9f 17090 web optional php4-curl_4.3.8-8_i386.deb
 403cb3a2f140b3dc2aa3dc482a68ef5b 9356 web optional php4-mhash_4.3.8-8_powerpc.deb
 440ce04453e74947c8e3d87ae381bd15 34142 web optional php4-gd_4.3.8-8_powerpc.deb
 4a89c30a740f8533df808b15b7a8d28d 318988 devel optional php4-dev_4.3.8-8_all.deb
 5354eb7a9897127321ad69a86930440e 19330 web optional php4-mcal_4.3.8-8_powerpc.deb
 5a629ca34b2be851e3a4672d0a039a40 53104 web optional php4-common_4.3.8-8_i386.deb
 5bedde0d2b610e10d9fd8f705a8bc63b 1615218 web optional php4-cli_4.3.8-8_powerpc.deb
 679b70655dfcf0a8f0dfd9ec3b48b549 21480 web optional php4-ldap_4.3.8-8_powerpc.deb
 7b73a45ea7d6f233df9154c7f5462489 1645788 web optional libapache-mod-php4_4.3.8-8_powerpc.deb
 7e12fc6ebf2fbab6597e19e5c865d864 1600978 web optional libapache-mod-php4_4.3.8-8_i386.deb
 7ff1d9bf87a00f9c0ec2dafb61de1641 12534 web optional php4-snmp_4.3.8-8_i386.deb
 8298a6c07740221ed15a8efdee5a55a0 36782 web optional php4-imap_4.3.8-8_powerpc.deb
 8402088347a2fc68e4c807495d470e6a 1666392 web optional caudium-php4_4.3.8-8_i386.deb
 8abc02d04a57cc96fc426663a03c9e1d 7442 web optional php4-recode_4.3.8-8_i386.deb
 8dfc89c87779774ce48f9049c3fb95db 7778 web optional php4-mhash_4.3.8-8_i386.deb
 8e6431f5fa67a526605a5176413364b7 36872 web optional php4-domxml_4.3.8-8_i386.deb
 8f1d7b2e34f45d5d9016de11baa26b07 9028 web optional php4-recode_4.3.8-8_powerpc.deb
 98fc02e3742c090d842c518301baa6ba 17272 web optional php4-mcal_4.3.8-8_i386.deb
 9db331c0c4a8542f8c8d569d5f9122d7 1641486 web optional libapache2-mod-php4_4.3.8-8_powerpc.deb
 9ef9767bcaed3f34e24db4b9f925cbfd 22716 web optional php4-mysql_4.3.8-8_powerpc.deb
 a69fe810df7c58ec7d0016903e2fd51d 22670 web optional php4-sybase_4.3.8-8_powerpc.deb
 a93654e8d9b15a998e5017f2364678a2 28396 web optional php4-odbc_4.3.8-8_powerpc.deb
 b738f7e126c65d78ea71d5a1131e54df 1597402 web optional libapache2-mod-php4_4.3.8-8_i386.deb
 b89174e0c6ffd86c6101c03f7fbd7780 26806 web optional php4-odbc_4.3.8-8_i386.deb
 c9382406314cc40f2f445e4ed96610c3 1601042 web optional php4-cgi_4.3.8-8_powerpc.deb
 ee34324fbc6c7a4432cd0e96fc79655f 1805 web optional php4_4.3.8-8.dsc
 d2309d9da4f607eb70c2d218f84c3107 38334 web optional php4-domxml_4.3.8-8_powerpc.deb
 d38b553513062af874a4b726051a19e5 19788 web optional php4-ldap_4.3.8-8_i386.deb
 ece40ff36f947ecd7dea20fb883bc074 18088 web optional php4-xslt_4.3.8-8_powerpc.deb
 f39ea3c81e15a287ccc3e6395d492cb9 14362 web optional php4-snmp_4.3.8-8_powerpc.deb
 f9ec1574136edf365415a54a9fe0d580 21306 web optional php4-mysql_4.3.8-8_i386.deb
 fc3b9f7b6de21f01dc2d32aa61df05bf 53120 web optional php4-common_4.3.8-8_powerpc.deb
 fd4e8b280d738a4671f8326bc5f9826e 566289 web optional php4_4.3.8-8.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBKziUvjztR8bOoMkRAoUKAJ91wbCMZ54a5TIDkuca/JQ8Xzay/wCfRAKU
BBZ4LevQRgbTVWEwp6ugngU=
=3rDe
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Sun Aug 17 00:42:40 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.