[php-maint] Bug#759282: [php-pear] "/tmp" symlink file clobbering
vladz at devzero.fr
Mon Aug 25 19:28:44 UTC 2014
PEAR commands such as "pear install [...]" writes cache data into
predictable filenames located in "/tmp/". Unprivileged local users
could use symlinks to clobber arbitrary files.
Temporary filenames ("$cachefile" and "$cacheidfile") are generated with
the code above. They are predictable as far as we know the extension
name that is going to be installed (this name is used to construct the
url for the MD5 checksum):
$ cat -n /usr/share/php/PEAR/REST.php
59 $cachefile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR .
60 md5($url) . 'rest.cachefile';
194 $cacheidfile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR .
195 md5($url) . 'rest.cacheid';
For instance, when installing the "Mail_mime" extension, the following
filenames are used by PEAR:
In this case, the "$url" used for md5 checksum is the following:
$ printf "http://pear.php.net/rest/p/mail_mime/info.xml" | md5sum
To sum up, if a local user wants to clobber the "/etc/shadow" file, he
$ mkdir -p /tmp/pear/cache/
$ ln -s /etc/shadow /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile
Then when root runs PEAR, file gets clobbered:
# pear install Mail_mime
# du -sk /etc/shadow
A function like tempnam() could be use instead. It creates file with
unique filename (see http://php.net/manual/en/function.tempnam.php).
PGP key 8F7E2D3C from pgp.mit.edu
More information about the pkg-php-maint