Package: php-pear
Version: 5.4.4-14+deb7u14
Tags: security
PEAR commands such as "pear install [...]" writes cache data into
predictable filenames located in "/tmp/". Unprivileged local users
could use symlinks to clobber arbitrary files.
Temporary filenames ("$cachefile" and "$cacheidfile") are generated with
the code above. They are predictable as far as we know the extension
name that is going to be installed (this name is used to construct the
url for the MD5 checksum):
$ cat -n /usr/share/php/PEAR/REST.php
[...]
59 $cachefile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR .
60 md5($url) . 'rest.cachefile';
[...]
194 $cacheidfile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR .
195 md5($url) . 'rest.cacheid';
For instance, when installing the "Mail_mime" extension, the following
filenames are used by PEAR:
- /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile
- /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cacheid
In this case, the "$url" used for md5 checksum is the following:
$ printf "http://pear.php.net/rest/p/mail_mime/info.xml" | md5sum
ff051dc5b96c95bf60e300d415b6c47e -
To sum up, if a local user wants to clobber the "/etc/shadow" file, he
runs:
$ mkdir -p /tmp/pear/cache/
$ ln -s /etc/shadow /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile
Then when root runs PEAR, file gets clobbered:
# pear install Mail_mime
[...]
# du -sk /etc/shadow
0 /etc/shadow
A function like tempnam() could be use instead. It creates file with
unique filename (see http://php.net/manual/en/function.tempnam.php).
Regards,
Hello, It was reported that the pear utility insecurely used the /tmp/ directory for cache data. A local attacker could use this flaw to perform a symbolic link attack against a user (typically the root user) running a pear command (such as "pear install"). Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759282 Could a CVE please be assigned? Thanks,
Yes, it's a known bug that php-pear is not safe on multiuser systems. Ondrej
Use CVE-2014-5459.
Version: 5.3.6-1 Hello, According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2 Regards
Hi Mathieu, is this true? I just did a quick check (not a full analysis) and it still seems to use /tmp/pear. Can you check if the upstream bug report might be pointing to the wrong fixing version? (I have reopened the bugs for now) Regards, Salvatore
2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>: This even introduced a regression on Windows: https://pear.php.net/bugs/bug.php?id=18834 https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a (which is in 1.9.2) And further improvement in: https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876 (which is in 1.9.3) Can we close it then? Regards
Hi Mathieu, you cannot globber anymore someone else files. A can block another user this way. As user foo do: foo@sid:~$ pear download HTML_Common2 downloading HTML_Common2-2.1.1.tgz ... Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes) .....done: 8,604 bytes File /home/foo/HTML_Common2-2.1.1.tgz downloaded then replace the cache files with symlinks (e.g. to files in home of user bar, since he want's to try to globber these files). bar now is unable to pear download HTML_Common2: bar@sid:~$ pear download HTML_Common2 Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203 PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203 No releases available for package "pear.php.net/HTML_Common2" download failed bar@sid:~$ ls bar@sid:~$ or as root root@sid:~# pear download HTML_Common2 Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203 PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203 No releases available for package "pear.php.net/HTML_Common2" download failed root@sid:~# pear install HTML_Common2 Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203 PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203 No releases available for package "pear.php.net/HTML_Common2" install failed root@sid:~# So again, I don't think the issues with unsafe use of /tmp are fixed correctly and the bugs should not be closed. PHP maintainers, what do you think (Ondřej cc'ed)? Regards, Salvatore
Hi Mathieu, you cannot globber anymore someone else files. A can block another user this way. As user foo do: foo@sid:~$ pear download HTML_Common2 downloading HTML_Common2-2.1.1.tgz ... Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes) .....done: 8,604 bytes File /home/foo/HTML_Common2-2.1.1.tgz downloaded then replace the cache files with symlinks (e.g. to files in home of user bar, since he want's to try to globber these files). bar now is unable to pear download HTML_Common2: bar@sid:~$ pear download HTML_Common2 Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203 PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203 No releases available for package "pear.php.net/HTML_Common2" download failed bar@sid:~$ ls bar@sid:~$ or as root root@sid:~# pear download HTML_Common2 Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203 PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203 No releases available for package "pear.php.net/HTML_Common2" download failed root@sid:~# pear install HTML_Common2 Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203 PHP Notice: unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203 No releases available for package "pear.php.net/HTML_Common2" install failed root@sid:~# So again, I don't think the issues with unsafe use of /tmp are fixed correctly and the bugs should not be closed. PHP maintainers, what do you think (Ondřej cc'ed)? Regards, Salvatore
2015-11-08 7:25 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>: Hi Salvatore, I didn't want to close, it, but my Reply-to-all went to the -done addresses. Which pear version are you testing? Note that I'll be the php-pear maintainer, once the new package [1] is finished. We should test against this latest 1.10 and report upstream is the bug remain. [1]: anonscm.debian.org/cgit/pkg-php/php-pear.git Regards
Hi Mathieu, Just to confirm, this was with php-pear provided from src:php5, Version 5.6.14+dfsg-1. Ack, yes I see. Regards and thanks for your work there! Salvatore