SECURITY VULNERABILITY ANNOUNCEMENT November 4, 2005 Advisory: PEAR installer arbitrary code execution vulnerability Release Date: 2005/11/04 Last Modified: 2005/11/04 Author: Gregory Beaver [cellog@php.net] Application: PEAR installer <= 1.4.2 Severity: A standard feature of the PEAR installer implemented in all versions of PEAR can lead to the execution of arbitrary PHP code upon running the "pear" command or loading the Web/Gtk frontend. Risk: Low Vendor Status: The PEAR project has released an updated version References: http://pear.php.net/advisory-20051104.txt Overview: The PEAR installer is available from http://pear.php.net/package/PEAR. The PEAR installer is used to install PHP-based software packages distributed from pear.php.net and PHP extensions from pecl.php.net. As of version 1.4.0, the PEAR installer can also install software packages from other sources, known as "channels." A poorly-implemented feature allows a package installed by the PEAR installer to execute arbitrary code any time the "pear" command is executed or the Web/Gtk frontend is loaded. Details: To be vulnerable, a user must explicitly install a publicly released malicious package using the PEAR installer, or explicitly install a package that depends on a malicious package. Full details of the vulnerability will be released at a later date. Proof of concept: The PEAR development team will not release an example exploit to the public. Disclosure Timeline: 01. November 2005 - vulnerability discovered by Gregory Beaver 02. November 2005 - possible solutions discussed privately 03. November 2005 - The PEAR Project releases new bugfixed version 04. November 2005 - Public disclosure Recommendation: We strongly recommend to upgrade to the new version PEAR 1.4.3 pear upgrade PEAR-1.4.3 http://pear.php.net/get/PEAR-1.4.3.tgz Reproducible: Always Steps to Reproduce: 1. 2. 3. Latest version is 1.4.4, not 1.4.3 (patched version did not work with PHP 4.2). The pear installer is included in all php-archives. All php ebuilds depend on vulnable PEAR versions, if "pear" USE flag is set. pear? ( >=dev-php/PEAR-PEAR-1.3.6 ) http://greg.chiaraquartet.net/archives/99-Security-Vulnerability-in-all-PEAR-versions-prior-to-1.4.3-discovered.html
php please advise.
We have an ebuild for PEAR 1.4.X in our SVN Overlay, but that still needs some work/testing PEAR 1.4.0 introduced a lot of changes to the PEAR infrastructure.
I added an ebuild for PEAR-1.4.4 there, but as Sebastian wrote, PEAR-1.4 ebuilds are in experimental tree of the overlay. http://svn.gnqs.org/projects/gentoo-php-overlay/browser/experimental/dev-php/PEAR-PEAR/
"To be vulnerable, a user must explicitly install a publicly released malicious package using the PEAR installer, or explicitly install a package that depends on a malicious package." If you install a malicious package, it's probably to run the code in it, so you're pretty much already 0wned...
Anyway, this is minor, but should nevertheless be fixed. It can wait until it is de-experimentalized, I suppose.
Any news on this one?
Hm, any ETA for having latest PEAR in ? Otherwise I would just close this one, it sucks anyway.
Bah, closing as wontfix, see comment #4. Feel free to upgrade the package though.
FYI: http://greg.chiaraquartet.net/archives/107-Why-it-is-very-important-to-upgrade-to-PEAR-1.4.6-from-PEAR-1.3.x.html
*** Bug 118262 has been marked as a duplicate of this bug. ***
reopening like requested because of new information about the issue, waiting for ebuilds.
PHP herd, what would be your opinion on this ? I don't find the Why-it-is-very-important-to-upgrade-to-PEAR-1.4.6-from-PEAR-1.3.x.html very convincing.
Yeah, we'll anyway to try to have PEAR 1.4.X in the tree soon, as it is a "better" PEAR installer than 1.3.X, and it fixes the security bugs, but atm it's a no-go: only >=1.4.6 has the --packagingroot directive wich we need to let PEAR packages be built correctly in the sandbox, but atm PEAR 1.4.6 only gives us a Fatal Error and dies, so we can't really ship that... :) We'll try to fix that and have a working PEAR 1.4.X in the tree soon, I hope. Best regards, CHTEKK.
There is also this thing, from Bugtraq... Not sure how accessible it is though. ========================= A vulnerability exists within version 0.2.2 of go-pear.php, part of PHP's PEAR Package. The problem lies in the scripts capacity to utilize a proxy server. An attacker can take advantage of this option by providing it with a malicious proxy server that is configured to redirect the original request to another file server. By simply mirroring the requested content from the intended file server the attacker can assure the script continues running uninterrupted. Hosting a modified version of "Tar.php" and pre pending code to the extractModify() function will allow the attacker to run any PHP code of their choosing. This occurs because go-pear uses "Tar.php" to extract all the packages it previously retrieved, in doing so it invokes the now compromised version of extractModify(). =====================================
UPDATE: we got PEAR-1.4.6 working on the PHP Overlay, I'll do some more testing today and move it to the testing/ branch of the overlay, and then to Portage CVS on monday if there are no problems found. Once it's in Portage, I'll update this bug and we can see to have the arch-teams keyword it appropriately. Best regards, CHTEKK.
Great news, Luca. Could you look at the issue I emailed you about (eZ components channel registration)? Thanks!
dev-php/PEAR-PEAR-1.4.6 is in the tree now.
arches - please test and mark stable, thx.
x86 done
stable on ppc64
sparc stable.
ppc stable
Marked ~hppa.
amd64 stable
re-CCing hppa as the keyword was removed by the php team to prohobit problems because of other packages that need to be stabled first, see bug #119461 for details.
We (hppa) have some problems with php at the moment. Because we aren't php 5 ready. I hope we'll fix it soon.
Alpha stable.
(In reply to comment #26) > We (hppa) have some problems with php at the moment. Because we aren't php 5 > ready. I hope we'll fix it soon. Killerfox, if you have issues w/ php-5 on hppa, please keyword dev-lang/php-4 (and related ebuilds) only meanwhile, you don't need php-5 keyworded for PEAR-PEAR-1.4.6-r1. Thanks.
Marked stable on hppa. Removing CC.
let's better have a glsa vote here ... i have no opinion yet, need to re-read all the dirty details before
I vote NO.
concur - vote=no glsa
Voting no and closing, this one doesn't smell right, see my comment #4