php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #36483 phpize php_autoconf security fix
Submitted: 2006-02-22 00:26 UTC Modified: 2010-12-22 12:47 UTC
Votes:6
Avg. Score:4.2 ± 0.9
Reproduced:6 of 6 (100.0%)
Same Version:2 (33.3%)
Same OS:1 (16.7%)
From: david at davidfavor dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.1.2 OS: RedHat EL-4
Private report: No CVE-ID: None
View Developer Edit
 [2006-02-22 00:26 UTC] david at davidfavor dot com 
Description:
------------
Since I've only installed PHP the first time, please
route this the the correct place.

There are many reports that resemble this:

   /usr/local/bin/phpize:
   /tmp/tmpEcSnL3/apd-1.0.1/build/shtool:
   /bin/sh: bad interpreter: Permission denied
   Cannot find autoconf. Please check your autoconf
   installation and the $PHP_AUTOCONF environment
   variable is set correctly and then rerun this script.

   ERROR: `phpize' failed

The problem is the pear command seems to be be violate
usual security precautions.

That is mounting /tmp with the noexec option disallows
the execution of /tmp/*/shtool. The fix seems to be
maybe checking the executability of scripts on /tmp
first and prompting the user for an alternative
directory first.

The ugly work around is to change /etc/fstab to allow
/tmp files to be executed... Shudder...

Reproduce code:
---------------
1) In /etc/fstab:

   /dev/hda3 /tmp ext3 defaults,noexec 1 0

2) reboot

3) pear install pecl/pdflib

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-22 12:47 UTC] johannes@php.net
-Status: Open +Status: Bogus -Package: Feature/Change Request +Package: *General Issues
 [2010-12-22 12:47 UTC] johannes@php.net 
This is a PEAR issue. Please report on pear.php.net.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Dec 15 06:00:01 2025 UTC