First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 189075
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Jakub Moc (RETIRED) <jakub@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 189075 depends on: Show dependency tree
Bug 189075 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-08-16 06:33 0000 
<snip>
Lack of validation of the install-as attribute in package.xml version
1.0 and of the <install> tag in package.xml version 2.0 allows
attackers to install files in any location and possibly overwrite
crucial system files if the PEAR Installer is running as a
privileged user.
</snip>

A couple of notes on this: Gentoo PHP team doesn't support using pear install
directly by users and ebuilds for PEAR packages that are in the tree are
certainly not malicious. :) Also, the installed (malicious) code already could
do the same if you run it as privileged user, as noted in CVE-2007-2519
description.

Regardless, if you want to handle this, I'll prepare an ebuild for 1.6.1, it'd
have to be done sooner or later anyway. It's going to take some time due to the
way we are handling PEAR installer on Gentoo.

------- Comment #1 From Jakub Moc (RETIRED) 2007-08-16 11:05:06 0000 ------- 
dev-php/PEAR-PEAR-1.6.1 committed, ready for stabilization if you wish. :)

------- Comment #2 From Pierre-Yves Rofes 2007-08-16 21:56:49 0000 ------- 
thanks Jakub.
Arches, please test and mark stable dev-php/PEAR-PEAR-1.6.1.
Target keywords are:
"alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

------- Comment #3 From Gustavo Zacarias (RETIRED) 2007-08-16 22:19:05 0000 ------- 
sparc stable.

------- Comment #4 From Jeroen Roovers 2007-08-17 06:00:26 0000 ------- 
Stable for HPPA.

------- Comment #5 From Christian Faulhammer 2007-08-18 19:01:30 0000 ------- 
x86 stable

------- Comment #6 From Markus Rothe 2007-08-19 07:14:48 0000 ------- 
ppc64 stable

------- Comment #7 From Tobias Scherbaum 2007-08-22 15:19:55 0000 ------- 
ppc stable

------- Comment #8 From Christoph Mende 2007-08-23 00:07:22 0000 ------- 
amd64 stable

------- Comment #9 From Raúl Porcel 2007-08-24 16:46:28 0000 ------- 
alpha/ia64 stable

------- Comment #10 From Sune Kloppenborg Jeppesen 2007-08-24 19:34:41 0000 ------- 
I tend to vote NO.

------- Comment #11 From Matt Drew 2007-09-05 00:05:34 0000 ------- 
I vote no.

------- Comment #12 From Pierre-Yves Rofes 2007-09-05 07:37:17 0000 ------- 
voting no too and closing.
First Last Prev Next    No search results available      Search page      Enter new bug