php5 5.3.2-1ubuntu4.13 introduced regression in magic_quotes_gpc

Bug #930115 reported by Hurl on 2012-02-10
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
High
Unassigned
Lucid
High
Steve Beattie

Bug Description

Since last lucid security update, upgrading from 5.3.2-1ubuntu4.11 to php5 5.3.2-1ubuntu4.13 introduced a regression in ini_get("magic_quotes_gpc").

Even if magic_quotes are deprecated, this break codes relaying on detection of this ini.

We can see clearly this problem :

grep ^magic_quotes_gpc /etc/php5/cli/php.ini
magic_quotes_gpc = On

php -v
PHP 5.3.2-1ubuntu4.13 with Suhosin-Patch (cli) (built: Feb 9 2012 06:36:10)

php -r 'var_dump(ini_get("magic_quotes_gpc"));'
string(1) "0"

php -v
PHP 5.3.2-1ubuntu4.11 with Suhosin-Patch (cli) (built: Dec 13 2011 18:49:27)

php -r 'var_dump(ini_get("magic_quotes_gpc"));'
string(1) "1"

Maverick's php5 packages have the same behaviour :
php -v
PHP 5.3.3-1ubuntu9.9 with Suhosin-Patch (cli) (built: Feb 9 2012 06:37:37)

php -r 'var_dump(ini_get("magic_quotes_gpc"));'
string(1) "0"

Thanks for your help

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in php5 (Ubuntu):
status: New → Confirmed
Ondřej Surý (ondrej) wrote :

Forwarded to https://bugs.php.net/bug.php?id=61043 with patch.

(Fortunatelly it's the Ubuntu today which needs to bite the bullet, since I haven't uploaded Debian security update yet. ;)

I am building Debian package with updated patch and will report back. Thanks for the test script.

Jean-Baptiste Lallement (jibel) wrote :

Thanks for your report. I confirm the change of behavior. This was probably introduced in this change:

php5 (5.3.2-1ubuntu4.13) lucid-security; urgency=low

[...]
  * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
    - debian/patches/php5-CVE-2012-0831.patch: always restore
      magic_quote_gpc on request shutdown
    - CVE-2012-0831

Changed in php5 (Ubuntu):
importance: Undecided → High
status: Confirmed → Triaged
tags: added: lucid regression-update
Changed in php5 (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → High
summary: - php5 5.3.2-1ubuntu4.13 introduced regression
+ php5 5.3.2-1ubuntu4.13 introduced regression in magic_quotes_gpc
Changed in php5 (Ubuntu Lucid):
assignee: nobody → Canonical Security Team (canonical-security)
Ondřej Surý (ondrej) wrote :

The patch attached to PHP bug report fixes your problem:

root@howl:/tmp# /tmp/buildd/php5-5.3.3/cgi-build/sapi/cli/php -c /tmp/php.ini -r 'var_dump(ini_get("magic_quotes_gpc"));'
string(1) "1"
root@howl:/tmp# grep ^magic_quotes_gpc /tmp/php.ini
magic_quotes_gpc = On
root@howl:/tmp# /tmp/buildd/php5-5.3.3/cgi-build/sapi/cli/php -c /tmp/php.ini -r 'var_dump(ini_get("magic_quotes_gpc"));'
string(1) "1"
root@howl:/tmp# emacs php.ini
root@howl:/tmp# grep ^magic_quotes_gpc /tmp/php.ini
magic_quotes_gpc = Off
root@howl:/tmp# /tmp/buildd/php5-5.3.3/cgi-build/sapi/cli/php -c /tmp/php.ini -r 'var_dump(ini_get("magic_quotes_gpc"));'
string(0) ""

Steve Beattie (sbeattie) wrote :

Ondřej, thanks for diagnosing this issue! I'll review and incorporate your patch and release a regression fix for this shortly after testing locally.

Thanks and my apologies for introducing this regression.

Changed in php5 (Ubuntu Lucid):
status: Triaged → In Progress
assignee: Canonical Security Team (canonical-security) → Steve Beattie (sbeattie)
Martin Klerx (mklerx) wrote :

The PHP-version in Hardy Heron (8.04) also has the same behaviour. (version 5.2.4-2ubuntu5.22) This broke some of the websites hosted on my severs that relied on magic_quotes_gpc detection with ini_get('magic_quotes_gpc') . This always returns 0 now, even when magic_quotes_gpc switchec On in php.ini or .htaccess.

Ondřej Surý (ondrej) wrote :

Well, it affects all versions which got that security report (i.e. all supported).

As far as I understand this bug, the magic_quotes are actually set to the correct value, it's just the ini_get() which reports wrong value.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.2-1ubuntu4.14

---------------
php5 (5.3.2-1ubuntu4.14) lucid-security; urgency=low

  * debian/patches/php5-CVE-2012-0831-regression.patch: fix
    magic_quotes_gpc ini setting regression introduced by patch for
    CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115)
 -- Steve Beattie <email address hidden> Fri, 10 Feb 2012 15:07:08 -0800

Changed in php5 (Ubuntu Lucid):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.4-2ubuntu5.23

---------------
php5 (5.2.4-2ubuntu5.23) hardy-security; urgency=low

  * debian/patches/php5-CVE-2012-0831-regression.patch: fix
    magic_quotes_gpc ini setting regression introduced by patch for
    CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115)
 -- Steve Beattie <email address hidden> Fri, 10 Feb 2012 15:34:36 -0800

Changed in php5 (Ubuntu):
status: Triaged → Fix Released
Steve Beattie (sbeattie) wrote :

Yes, as Ondřej said, all supported releases were affected and the issue was that ini_get('magic_quotes_gpc') was returning the wrong value, magic_quotes_gpc would still get set correctly. Also, get_magic_quotes_gpc() returned the correct value, too.

Fixes for all releases have gone out as http://www.ubuntu.com/usn/usn-1358-2/. Thanks for your patience.

Kousuke Ebihara (co3k) wrote :

I've posted in php-internals list about this topic: http://marc.info/?l=php-internals&m=132922462700684&w=2

Please tell me answers to some questions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.