[php-maint] Bug#443899: php-pear: CVE-2007-2519: PEAR installer arbitrary code execution vulnerability
Gregory Colpart
reg at evolix.fr
Mon Sep 24 21:48:41 UTC 2007
Package: php-pear
Version: 5.2.0-8+etch7
Severity: grave
Tags: patch security
Hello,
Overview:
=========
Lack of validation of the install-as attribute in package.xml
version 1.0 and of the <install> tag in package.xml version 2.0
allows attackers to install files in any location and possibly
overwrite crucial system files if the PEAR Installer is running
as a privileged user.
Vendor advisory:
http://pear.php.net/advisory-20070507.txt
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2519
I attach a patch backported by Ubuntu for this security issue.
Regards,
--
Gregory Colpart <reg at evolix.fr> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
-------------- next part --------------
diff -uNrp PEAR-1.5.3/PEAR/Installer.php PEAR-1.5.4/PEAR/Installer.php
--- PEAR-1.5.3/PEAR/Installer.php 2007-04-18 20:01:48.000000000 -0700
+++ PEAR-1.5.4/PEAR/Installer.php 2007-05-07 21:10:49.000000000 -0700
@@ -292,6 +292,9 @@ class PEAR_Installer extends PEAR_Downlo
$installedas_dest_file = $installedas_dest_dir . DIRECTORY_SEPARATOR . '.tmp' . basename($final_dest_file);
}
$dest_dir = dirname($final_dest_file);
+ if (preg_match('~/\.\.(/|\\z)|^\.\./~', str_replace('\\', '/', $dest_file))) {
+ return $this->raiseError("SECURITY ERROR: file $file (installed to $dest_file) contains parent directory reference ..", PEAR_INSTALLER_FAILED);
+ }
$dest_file = $dest_dir . DIRECTORY_SEPARATOR . '.tmp' . basename($final_dest_file);
// }}}
@@ -482,6 +485,9 @@ class PEAR_Installer extends PEAR_Downlo
} else {
list($save_destdir, $dest_dir, $dest_file, $orig_file) = $info;
}
+ if (preg_match('~/\.\.(/|\\z)|^\.\./~', str_replace('\\', '/', $dest_file))) {
+ return $this->raiseError("SECURITY ERROR: file $file (installed to $dest_file) contains parent directory reference ..", PEAR_INSTALLER_FAILED);
+ }
$final_dest_file = $installed_as = $dest_file;
if (isset($this->_options['packagingroot'])) {
$final_dest_file = $this->_prependPath($final_dest_file,
More information about the pkg-php-maint
mailing list