[pkg-php-pear] Bug#919147: php-pear: CVE-2018-1000888
Salvatore Bonaccorso
carnil at debian.org
Sun Jan 13 08:13:36 GMT 2019
Source: php-pear
Version: 1:1.10.6+submodules+notgz-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://pear.php.net/bugs/bug.php?id=23782
Control: found -1 1:1.10.1+submodules+notgz-9
Hi,
The following vulnerability was published for php-pear.
CVE-2018-1000888[0]:
| PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915
| vulnerability in the Archive_Tar class. There are several file
| operations with `$v_header['filename']` as parameter (such as
| file_exists, is_file, is_dir, etc). When extract is called without a
| specific prefix path, we can trigger unserialization by crafting a tar
| file with `phar://[path_to_malicious_phar_file]` as path. Object
| injection can be used to trigger destruct in the loaded PHP classes,
| e.g. the Archive_Tar class itself. With Archive_Tar object injection,
| arbitrary file deletion can occur because
| `@unlink($this->_temp_tarname)` is called. If another class with
| useful gadget is loaded, it may possible to cause remote code
| execution that can result in files being deleted or possibly modified.
| This vulnerability appears to have been fixed in 1.4.4.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000888
[1] https://pear.php.net/bugs/bug.php?id=23782
[2] https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76
[3] https://www.exploit-db.com/exploits/46108/
Regards,
Salvatore
More information about the pkg-php-pear
mailing list