[php-maint] Bug#759282: [php-pear] "/tmp" symlink file clobbering

vladz vladz at devzero.fr
Mon Aug 25 19:28:44 UTC 2014

Package: php-pear
Version: 5.4.4-14+deb7u14
Tags: security

PEAR commands such as "pear install [...]" writes cache data into
predictable filenames located in "/tmp/".  Unprivileged local users
could use symlinks to clobber arbitrary files.

Temporary filenames ("$cachefile" and "$cacheidfile") are generated with
the code above.  They are predictable as far as we know the extension
name that is going to be installed (this name is used to construct the
url for the MD5 checksum):

    $ cat -n /usr/share/php/PEAR/REST.php
    59         $cachefile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR .
    60             md5($url) . 'rest.cachefile';
    194        $cacheidfile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR .
    195            md5($url) . 'rest.cacheid';

For instance, when installing the "Mail_mime" extension, the following
filenames are used by PEAR:
  - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile
  - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cacheid

In this case, the "$url" used for md5 checksum is the following:

    $ printf "http://pear.php.net/rest/p/mail_mime/info.xml" | md5sum
    ff051dc5b96c95bf60e300d415b6c47e  -

To sum up, if a local user wants to clobber the "/etc/shadow" file, he

    $ mkdir -p /tmp/pear/cache/
    $ ln -s /etc/shadow /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile

Then when root runs PEAR, file gets clobbered:

    # pear install Mail_mime
    # du -sk /etc/shadow
    0	/etc/shadow

A function like tempnam() could be use instead.  It creates file with
unique filename (see http://php.net/manual/en/function.tempnam.php).

PGP key 8F7E2D3C from pgp.mit.edu

More information about the pkg-php-maint mailing list