Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 356893 (CVE-2011-1072)

Summary: <dev-php/PEAR-PEAR-1.9.2-r1: symlink attacks (CVE-2011-{1072,1144})
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: beandog, php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://pear.php.net/advisory-20110228.txt
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-28 21:05:09 UTC 
The lack of symlink checks while doing installation and upgrades, which
initiate various system write operations, can cause privileged users
unknowingly to overwrite critical system files.

Details:

  To be vulnerable, a non-privileged user that has access to the system must
explicitly create a symlink from a predictable location, to which PEAR will
write, with an end point at a system critical file such as /etc/passwd.

A non-privileged user is not required to have permission to the symlink
endpoint, the required privileges are obtained by asking a privileged
user to perform a routine task, such as installation or upgrade of packages,
which will in turn write to a predictable location; the whole process is
transparent for the privileged user and will in turn write to the symbolically
linked endpoint.

It is not possible to inject arbitrary information with this approach, it is
only possible to overwrite symlinked files with one of the files coming from
the PEAR package being installed/updated.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-28 21:06:58 UTC 
Maintainers, is it OK to stabilize =dev-php/PEAR-PEAR-1.9.2?
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2011-03-01 08:50:13 UTC 
Please go ahead.
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-01 09:41:57 UTC 
Thank you. Arches, please stabilize =dev-php/PEAR-PEAR-1.9.2
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2011-03-01 11:17:07 UTC 
amd64 done
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-03-02 07:06:22 UTC 
Added CVE assignment per http://www.openwall.com/lists/oss-security/2011/02/28/12.
Comment 6 Andreas Schürch gentoo-dev 2011-03-02 08:51:04 UTC 
Shouldn't =dev-php/pear-1.9.2 also go stable at the same time? Otherwise it tends to downgrade PEAR-PEAR again because of rdeps.... at least on my x86 testbox.
Comment 7 Ole Markus With (RETIRED) gentoo-dev 2011-03-02 10:38:14 UTC 
Indeed. It is important to simultaneously stabilise dev-php/pear as a system should never install PEAR-PEAR directly, but as a dependency to pear.
Comment 8 Andreas Schürch gentoo-dev 2011-03-02 13:45:23 UTC 
Ok, they both look ready to go, here on x86.
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-02 17:33:05 UTC 
amd64, please also stabilize =dev-php/pear-1.9.2

Sorry about that. The full stabilization list is:

=dev-php/pear-1.9.2
=dev-php/PEAR-PEAR-1.9.2
Comment 10 Thomas Kahle (RETIRED) gentoo-dev 2011-03-03 11:09:45 UTC 
x86 done. Thanks.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2011-03-03 17:05:00 UTC 
Stable for HPPA.
Comment 12 Agostino Sarubbo gentoo-dev 2011-03-04 10:04:48 UTC 
(In reply to comment #9)
> amd64, please also stabilize =dev-php/pear-1.9.2
> 
> Sorry about that. The full stabilization list is:
> 
> =dev-php/pear-1.9.2
> =dev-php/PEAR-PEAR-1.9.2
> 

works for me :)
Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-04 16:28:15 UTC 
ppc64 stable
Comment 14 Markos Chandras (RETIRED) gentoo-dev 2011-03-04 19:21:07 UTC 
amd64 done
Comment 15 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-05 09:50:49 UTC 
ppc stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2011-03-05 13:39:43 UTC 
alpha/arm/ia64/s390/sh/sparc stable
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2011-03-05 21:16:29 UTC 
Thanks, everyone.

GLSA Vote: yes.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2011-03-09 07:23:22 UTC 
This vulnerability has not been totally fixed as per the following messages:

http://seclists.org/oss-sec/2011/q1/346 and 
http://seclists.org/oss-sec/2011/q1/444 (as well as others in the thread)

Summary is as follows:

Not the full fix was in the patch for CVE-2011-1072, New CVE-2011-1144 was opened to address the incomplete Fix in 1072.

Release is in the 1.9.3 tree, with the actual patch that is claimed to fix the issue.

Patch is here:
http://news.php.net/php.pear.core/9791

which is part of the PEAR-1.9.3 tree.
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2011-03-12 17:11:46 UTC 
(In reply to comment #18)
> This vulnerability has not been totally fixed as per the following messages:
> 

Thanks, Yury.

@php, looks like we have an upstream patch but no new release...
Comment 20 Ole Markus With (RETIRED) gentoo-dev 2011-03-14 22:20:39 UTC 
Added PEAR-PEAR-1.9.2-r1 with the patch. Hopefully this will do the trick.
Comment 21 Tim Sammut (RETIRED) gentoo-dev 2011-03-15 03:57:31 UTC 
(In reply to comment #20)
> Added PEAR-PEAR-1.9.2-r1 with the patch. Hopefully this will do the trick.

Great, thank you.

Arches, please test and mark stable:
=dev-php/PEAR-PEAR-1.9.2-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 22 Agostino Sarubbo gentoo-dev 2011-03-15 12:25:20 UTC 
amd64 ok
Comment 23 Markos Chandras (RETIRED) gentoo-dev 2011-03-15 15:19:06 UTC 
amd64 done. Thanks Agostino
Comment 24 Jeroen Roovers (RETIRED) gentoo-dev 2011-03-15 15:48:52 UTC 
Stable for HPPA.
Comment 25 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-15 18:01:17 UTC 
ppc/ppc64 stable
Comment 26 Thomas Kahle (RETIRED) gentoo-dev 2011-03-17 20:39:44 UTC 
x86 done... again.
Comment 27 Raúl Porcel (RETIRED) gentoo-dev 2011-03-18 17:27:39 UTC 
alpha/arm/ia64/s390/sh/sparc stable
Comment 28 Tim Sammut (RETIRED) gentoo-dev 2011-03-19 22:39:16 UTC 
Thanks a second time, everyone. Still GLSA Vote: yes.
Comment 29 GLSAMaker/CVETool Bot gentoo-dev 2011-07-11 23:28:42 UTC 
CVE-2011-1144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1144):
  The installer in PEAR 1.9.2 and earlier allows local users to overwrite
  arbitrary files via a symlink attack on the package.xml file, related to the
  (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download
  directories.  NOTE: this vulnerability exists because of an incomplete fix
  for CVE-2011-1072.

CVE-2011-1072 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1072):
  The installer in PEAR before 1.9.2 allows local users to overwrite arbitrary
  files via a symlink attack on the package.xml file, related to the (1)
  download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download
  directories, a different vulnerability than CVE-2007-2519.
Comment 30 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:32:20 UTC 
Vote: YES. New GLSA request filed.
Comment 31 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:36:56 UTC 
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).