Debian Bug report logs - #759282
[php-pear] "/tmp" symlink file clobbering (CVE-2014-5459)

Reply or subscribe to this bug.

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: vladz <vladz@devzero.fr>

To: submit@bugs.debian.org

Subject: [php-pear] "/tmp" symlink file clobbering

Date: Mon, 25 Aug 2014 21:28:44 +0200

Package: php-pear
Version: 5.4.4-14+deb7u14
Tags: security

PEAR commands such as "pear install [...]" writes cache data into
predictable filenames located in "/tmp/".  Unprivileged local users
could use symlinks to clobber arbitrary files.

Temporary filenames ("$cachefile" and "$cacheidfile") are generated with
the code above.  They are predictable as far as we know the extension
name that is going to be installed (this name is used to construct the
url for the MD5 checksum):

    $ cat -n /usr/share/php/PEAR/REST.php
    [...]
    59         $cachefile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR .
    60             md5($url) . 'rest.cachefile';
    [...]
    194        $cacheidfile = $this->config->get('cache_dir') . DIRECTORY_SEPARATOR .
    195            md5($url) . 'rest.cacheid';

For instance, when installing the "Mail_mime" extension, the following
filenames are used by PEAR:
  
  - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile
  - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cacheid

In this case, the "$url" used for md5 checksum is the following:

    $ printf "http://pear.php.net/rest/p/mail_mime/info.xml" | md5sum
    ff051dc5b96c95bf60e300d415b6c47e  -

To sum up, if a local user wants to clobber the "/etc/shadow" file, he
runs:

    $ mkdir -p /tmp/pear/cache/
    $ ln -s /etc/shadow /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile

Then when root runs PEAR, file gets clobbered:

    # pear install Mail_mime
    [...]
    # du -sk /etc/shadow
    0	/etc/shadow

A function like tempnam() could be use instead.  It creates file with
unique filename (see http://php.net/manual/en/function.tempnam.php).

Regards,
-- 
http://vladz.devzero.fr
PGP key 8F7E2D3C from pgp.mit.edu

Message #10 received at 759282@bugs.debian.org (full text, mbox, reply):

From: Murray McAllister <mmcallis@redhat.com>

To: oss-security@lists.openwall.com

Cc: 759282@bugs.debian.org

Subject: CVE request: php-pear, pear's insecure /tmp/ use for cache data

Date: Tue, 26 Aug 2014 14:50:09 +1000

Hello,

It was reported that the pear utility insecurely used the /tmp/ 
directory for cache data. A local attacker could use this flaw to 
perform a symbolic link attack against a user (typically the root user) 
running a pear command (such as "pear install").

Original report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759282

Could a CVE please be assigned?

Thanks,

--
Murray McAllister / Red Hat Product Security

Message #15 received at 759282@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: vladz <vladz@devzero.fr>, 759282@bugs.debian.org

Subject: Re: [php-maint] Bug#759282: [php-pear] "/tmp" symlink file clobbering

Date: Tue, 26 Aug 2014 11:20:14 +0200

Control: forcemerge -1 682157

Yes, it's a known bug that php-pear is not safe on multiuser systems.

Ondrej

On Mon, Aug 25, 2014, at 21:28, vladz wrote:
> 
> Package: php-pear
> Version: 5.4.4-14+deb7u14
> Tags: security
> 
> PEAR commands such as "pear install [...]" writes cache data into
> predictable filenames located in "/tmp/".  Unprivileged local users
> could use symlinks to clobber arbitrary files.
> 
> Temporary filenames ("$cachefile" and "$cacheidfile") are generated with
> the code above.  They are predictable as far as we know the extension
> name that is going to be installed (this name is used to construct the
> url for the MD5 checksum):
> 
>     $ cat -n /usr/share/php/PEAR/REST.php
>     [...]
>     59         $cachefile = $this->config->get('cache_dir') .
>     DIRECTORY_SEPARATOR .
>     60             md5($url) . 'rest.cachefile';
>     [...]
>     194        $cacheidfile = $this->config->get('cache_dir') .
>     DIRECTORY_SEPARATOR .
>     195            md5($url) . 'rest.cacheid';
> 
> For instance, when installing the "Mail_mime" extension, the following
> filenames are used by PEAR:
>   
>   - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile
>   - /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cacheid
> 
> In this case, the "$url" used for md5 checksum is the following:
> 
>     $ printf "http://pear.php.net/rest/p/mail_mime/info.xml" | md5sum
>     ff051dc5b96c95bf60e300d415b6c47e  -
> 
> To sum up, if a local user wants to clobber the "/etc/shadow" file, he
> runs:
> 
>     $ mkdir -p /tmp/pear/cache/
>     $ ln -s /etc/shadow
>     /tmp/pear/cache/ff051dc5b96c95bf60e300d415b6c47erest.cachefile
> 
> Then when root runs PEAR, file gets clobbered:
> 
>     # pear install Mail_mime
>     [...]
>     # du -sk /etc/shadow
>     0       /etc/shadow
> 
> A function like tempnam() could be use instead.  It creates file with
> unique filename (see http://php.net/manual/en/function.tempnam.php).
> 
> Regards,
> -- 
> http://vladz.devzero.fr
> PGP key 8F7E2D3C from pgp.mit.edu
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint


-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Message #24 received at 759282@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: mmcallis@redhat.com, 759282@bugs.debian.org

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com

Subject: Re: CVE request: php-pear, pear's insecure /tmp/ use for cache data

Date: Wed, 27 Aug 2014 01:24:20 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759282

Use CVE-2014-5459.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT/WsUAAoJEKllVAevmvmsaXEH/3bwwhDnyGdxilowL2kx/S+j
gRmak0Uegsz5ZfDgl3PIzxKBc2EkwZrRhPlgeBVx6+OtGlp6MHjrMXYHp06LJBXj
RegI3t+gyBXEjUrOHmOHdY1N7RnprMu5YZnB5LErKicqp0SivDEDcSiecSbDTk9o
LXlvE1mPHfZzwhiqWUtFfyNVUb7CmnQWT5WLgWDaRVAXIqWNIiv/fwwIJgD3MTSp
k6WmlhCwXAWBLq3t8zgV8jSSsZW2KCgFpzUJEZuzPlTpSaZys6zCl2s8tgfwpGCj
zWVZmyRmn6IAC6t/huK/Zs3nhuNX2SKksLGtxVnGvklNd1gkUimvqVDSX2YZ1Wk=
=S9dC
-----END PGP SIGNATURE-----

Message #29 received at 682157-done@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <math.parent@gmail.com>

To: 682157-done@bugs.debian.org

Subject: FIxed since 1.9.2

Date: Sat, 7 Nov 2015 14:25:32 +0100

Version: 5.3.6-1

Hello,

According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2

Regards
-- 
Mathieu

Message #38 received at 759282@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 759282@bugs.debian.org

Cc: Mathieu Parent <math.parent@gmail.com>

Subject: Re: Bug#759282 closed by Mathieu Parent <math.parent@gmail.com> (FIxed since 1.9.2)

Date: Sat, 7 Nov 2015 15:05:43 +0100

Hi Mathieu,

On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote:
> Version: 5.3.6-1
> 
> Hello,
> 
> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2

is this true? I just did a quick check (not a full analysis) and it
still seems to use /tmp/pear.

Can you check if the upstream bug report might be pointing to the
wrong fixing version?

(I have reopened the bugs for now)

Regards,
Salvatore

Message #43 received at 759282-done@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <math.parent@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 759282-done@bugs.debian.org

Subject: Re: Bug#759282 closed by Mathieu Parent <math.parent@gmail.com> (FIxed since 1.9.2)

Date: Sat, 7 Nov 2015 15:53:07 +0100

2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
> Hi Mathieu,
>
> On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote:
>> Version: 5.3.6-1
>>
>> Hello,
>>
>> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2
>
> is this true? I just did a quick check (not a full analysis) and it
> still seems to use /tmp/pear.

Yes, it does. But it checks for symlinks and truncate the file.

This even introduced a regression on Windows:
https://pear.php.net/bugs/bug.php?id=18834

> Can you check if the upstream bug report might be pointing to the
> wrong fixing version?

This is:
https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a
(which is in 1.9.2)

And further improvement in:
https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876
(which is in 1.9.3)

> (I have reopened the bugs for now)

Can we close it then?

Regards
-- 
Mathieu

Message #52 received at 759282@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Mathieu Parent <math.parent@gmail.com>

Cc: 759282@bugs.debian.org, 682157@bugs.debian.org, ondrej@debian.org

Subject: Bugs 759282 and 682157 (php-pear unsafe use of /tmp) should probably not be closed

Date: Sun, 8 Nov 2015 07:25:07 +0100

Hi Mathieu,

On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote:
> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
> > Hi Mathieu,
> >
> > On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote:
> >> Version: 5.3.6-1
> >>
> >> Hello,
> >>
> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2
> >
> > is this true? I just did a quick check (not a full analysis) and it
> > still seems to use /tmp/pear.
> 
> Yes, it does. But it checks for symlinks and truncate the file.
> 
> This even introduced a regression on Windows:
> https://pear.php.net/bugs/bug.php?id=18834
> 
> > Can you check if the upstream bug report might be pointing to the
> > wrong fixing version?
> 
> This is:
> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a
> (which is in 1.9.2)
> 
> And further improvement in:
> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876
> (which is in 1.9.3)
> 
> > (I have reopened the bugs for now)
> 
> Can we close it then?

Well, IMHO no, that is not correct. The issues are still there even
you cannot globber anymore someone else files. A can block another
user this way.

As user foo do:

foo@sid:~$ pear download HTML_Common2
downloading HTML_Common2-2.1.1.tgz ...
Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes)
.....done: 8,604 bytes
File /home/foo/HTML_Common2-2.1.1.tgz downloaded


then replace the cache files with symlinks (e.g. to files in home of
user bar, since he want's to try to globber these files). bar now is
unable to pear download HTML_Common2:

bar@sid:~$ pear download HTML_Common2

Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203
PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
download failed
bar@sid:~$ ls
bar@sid:~$

or as root

root@sid:~# pear download HTML_Common2

Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
on line 203
PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in
/usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
download failed
root@sid:~# pear install HTML_Common2

Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
on line 203
PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in
/usr/share/php/PEAR/REST.php on line 203
No releases available for package "pear.php.net/HTML_Common2"
install failed
root@sid:~#

So again, I don't think the issues with unsafe use of /tmp are fixed
correctly and the bugs should not be closed. PHP maintainers, what do
you think (Ondřej cc'ed)?

Regards,
Salvatore

Message #62 received at 759282@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <math.parent@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 759282@bugs.debian.org, 682157@bugs.debian.org, Ondřej Surý <ondrej@debian.org>

Subject: Re: Bugs 759282 and 682157 (php-pear unsafe use of /tmp) should probably not be closed

Date: Mon, 9 Nov 2015 07:17:24 +0100

Control: reopen -1

2015-11-08 7:25 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
> Hi Mathieu,

Hi Salvatore,

> On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote:
>> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
>> > Hi Mathieu,
>> >
>> > On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote:
>> >> Version: 5.3.6-1
>> >>
>> >> Hello,
>> >>
>> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2
>> >
>> > is this true? I just did a quick check (not a full analysis) and it
>> > still seems to use /tmp/pear.
>>
>> Yes, it does. But it checks for symlinks and truncate the file.
>>
>> This even introduced a regression on Windows:
>> https://pear.php.net/bugs/bug.php?id=18834
>>
>> > Can you check if the upstream bug report might be pointing to the
>> > wrong fixing version?
>>
>> This is:
>> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a
>> (which is in 1.9.2)
>>
>> And further improvement in:
>> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876
>> (which is in 1.9.3)
>>
>> > (I have reopened the bugs for now)
>>
>> Can we close it then?
>
> Well, IMHO no, that is not correct. The issues are still there even
> you cannot globber anymore someone else files. A can block another
> user this way.

I didn't want to close, it, but my Reply-to-all went to the -done addresses.

>
> As user foo do:
>
> foo@sid:~$ pear download HTML_Common2
> downloading HTML_Common2-2.1.1.tgz ...
> Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes)
> .....done: 8,604 bytes
> File /home/foo/HTML_Common2-2.1.1.tgz downloaded
>
>
> then replace the cache files with symlinks (e.g. to files in home of
> user bar, since he want's to try to globber these files). bar now is
> unable to pear download HTML_Common2:
>
> bar@sid:~$ pear download HTML_Common2
>
> Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203
> PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203
> No releases available for package "pear.php.net/HTML_Common2"
> download failed
> bar@sid:~$ ls
> bar@sid:~$
>
> or as root
>
> root@sid:~# pear download HTML_Common2
>
> Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
> on line 203
> PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in
> /usr/share/php/PEAR/REST.php on line 203
> No releases available for package "pear.php.net/HTML_Common2"
> download failed
> root@sid:~# pear install HTML_Common2
>
> Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
> on line 203
> PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in
> /usr/share/php/PEAR/REST.php on line 203
> No releases available for package "pear.php.net/HTML_Common2"
> install failed
> root@sid:~#
>
> So again, I don't think the issues with unsafe use of /tmp are fixed
> correctly and the bugs should not be closed. PHP maintainers, what do
> you think (Ondřej cc'ed)?

Which pear version are you testing?

Note that I'll be the php-pear maintainer, once the new package [1] is finished.

We should test against this latest 1.10 and report upstream is the bug remain.

[1]: anonscm.debian.org/cgit/pkg-php/php-pear.git

Regards

-- 
Mathieu

Message #67 received at 759282@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Mathieu Parent <math.parent@gmail.com>

Cc: 759282@bugs.debian.org, 682157@bugs.debian.org, Ondřej Surý <ondrej@debian.org>

Subject: Re: Bugs 759282 and 682157 (php-pear unsafe use of /tmp) should probably not be closed

Date: Sat, 14 Nov 2015 19:18:52 +0100

Hi Mathieu,

On Mon, Nov 09, 2015 at 07:17:24AM +0100, Mathieu Parent wrote:
> Control: reopen -1
> 
> 2015-11-08 7:25 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
> > Hi Mathieu,
> 
> Hi Salvatore,
> 
> > On Sat, Nov 07, 2015 at 03:53:07PM +0100, Mathieu Parent wrote:
> >> 2015-11-07 15:05 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
> >> > Hi Mathieu,
> >> >
> >> > On Sat, Nov 07, 2015 at 01:27:07PM +0000, Debian Bug Tracking System wrote:
> >> >> Version: 5.3.6-1
> >> >>
> >> >> Hello,
> >> >>
> >> >> According to https://pear.php.net/bugs/bug.php?id=18056, it's fixed since 1.9.2
> >> >
> >> > is this true? I just did a quick check (not a full analysis) and it
> >> > still seems to use /tmp/pear.
> >>
> >> Yes, it does. But it checks for symlinks and truncate the file.
> >>
> >> This even introduced a regression on Windows:
> >> https://pear.php.net/bugs/bug.php?id=18834
> >>
> >> > Can you check if the upstream bug report might be pointing to the
> >> > wrong fixing version?
> >>
> >> This is:
> >> https://github.com/pear/pear-core/commit/38de9355e3a9c66445a6d39d2c9a20f73e986d9a
> >> (which is in 1.9.2)
> >>
> >> And further improvement in:
> >> https://github.com/pear/pear-core/commit/cd31da7d8b5e684f177a8fe700339f7eb2420876
> >> (which is in 1.9.3)
> >>
> >> > (I have reopened the bugs for now)
> >>
> >> Can we close it then?
> >
> > Well, IMHO no, that is not correct. The issues are still there even
> > you cannot globber anymore someone else files. A can block another
> > user this way.
> 
> I didn't want to close, it, but my Reply-to-all went to the -done addresses.
> 
> >
> > As user foo do:
> >
> > foo@sid:~$ pear download HTML_Common2
> > downloading HTML_Common2-2.1.1.tgz ...
> > Starting to download HTML_Common2-2.1.1.tgz (8,604 bytes)
> > .....done: 8,604 bytes
> > File /home/foo/HTML_Common2-2.1.1.tgz downloaded
> >
> >
> > then replace the cache files with symlinks (e.g. to files in home of
> > user bar, since he want's to try to globber these files). bar now is
> > unable to pear download HTML_Common2:
> >
> > bar@sid:~$ pear download HTML_Common2
> >
> > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php on line 203
> > PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in /usr/share/php/PEAR/REST.php on line 203
> > No releases available for package "pear.php.net/HTML_Common2"
> > download failed
> > bar@sid:~$ ls
> > bar@sid:~$
> >
> > or as root
> >
> > root@sid:~# pear download HTML_Common2
> >
> > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
> > on line 203
> > PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in
> > /usr/share/php/PEAR/REST.php on line 203
> > No releases available for package "pear.php.net/HTML_Common2"
> > download failed
> > root@sid:~# pear install HTML_Common2
> >
> > Notice: unserialize(): Error at offset 0 of 220 bytes in PEAR/REST.php
> > on line 203
> > PHP Notice:  unserialize(): Error at offset 0 of 220 bytes in
> > /usr/share/php/PEAR/REST.php on line 203
> > No releases available for package "pear.php.net/HTML_Common2"
> > install failed
> > root@sid:~#
> >
> > So again, I don't think the issues with unsafe use of /tmp are fixed
> > correctly and the bugs should not be closed. PHP maintainers, what do
> > you think (Ondřej cc'ed)?
> 
> Which pear version are you testing?

Just to confirm, this was with php-pear provided from src:php5,
Version 5.6.14+dfsg-1.
> 
> Note that I'll be the php-pear maintainer, once the new package [1] is finished.
> 
> We should test against this latest 1.10 and report upstream is the bug remain.

Ack, yes I see.

Regards and thanks for your work there!

Salvatore

Send a report that this bug log contains spam.