opendir("ssh2.sftp://..") fails after upgrade to 7.0.13 from xenial-updates

Bug #1663281 reported by David Hedberg on 2017-02-09
36
This bug affects 8 people
Affects Status Importance Assigned to Milestone
php-ssh2 (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Leonidas S. Barbosa
Trusty
Undecided
Leonidas S. Barbosa
Xenial
Undecided
Leonidas S. Barbosa
Artful
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

opendir() for a "ssh2.sftp://.."-style url fails after upgrade to php 7.0.13 from xenial-updates.

This is a known bug fixed upstream in php-ssh2, commit 17680cf039f0cfac53b5a2531fdb715b95e9cc42.

I've rebuilt the package locally using the attached patch.

CVE References

The attachment "Patch against php-ssh2-0.12-39-g3dfe336+0.12" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
David Hedberg (david-hedberg-t) wrote :

Further testing suggests that cherry-picking this particular commit might be insufficient for our usage scenario. I'll test a bit with the master branch of ssh2.

What's clear is that the version currently being shipped in xenial is broken when used with php from xenial-updates.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in php-ssh2 (Ubuntu):
status: New → Confirmed
Jan Kellermann (jan-kellermann) wrote :

After php-common-update from 2017.08-04 this affects ubuntu 14.04 with php5.5, too.

Circumvention:

In place of: 'ssh2.sftp://' . $sftp . '/...'
write: 'ssh2.sftp://' . intval($sftp) . '/...'

see:
https://bugs.php.net/bug.php?id=69981
https://bugs.php.net/bug.php?id=73597

I suggest this problem occurs due the backport of parse_url()-Bug in php5-common https://bugs.php.net/bug.php?id=73192 and CVE-2016-10397

Marco Scholl (traxanos) wrote :

Under 14.04 i have use this patch for php-ssh2

https://launchpadlibrarian.net/193989033/fix-segfault.patch

Marco Scholl (traxanos) wrote :

With the last patch the segvault are fixed but the connection doesn't work.

Marc Deslauriers (mdeslaur) wrote :
Changed in php-ssh2 (Ubuntu Precise):
status: New → Confirmed
Changed in php-ssh2 (Ubuntu Trusty):
status: New → Confirmed
Changed in php-ssh2 (Ubuntu Xenial):
status: New → Confirmed
Changed in php-ssh2 (Ubuntu Artful):
status: New → Fix Released
Changed in php-ssh2 (Ubuntu Bionic):
status: Confirmed → Fix Released
Changed in php-ssh2 (Ubuntu Precise):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in php-ssh2 (Ubuntu Trusty):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in php-ssh2 (Ubuntu Xenial):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Leonidas S. Barbosa (leosilvab) wrote :

For trusty and precise/esm patches worked fine. But for Xenial it didn't fix the issue. Need more info/investigation for xenial.

Changed in php-ssh2 (Ubuntu Precise):
status: Confirmed → Fix Released
Changed in php-ssh2 (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.