Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 810526 - <dev-lang/php-{7.3.20, 7.4.23}: archive creation symlink following
Summary: <dev-lang/php-{7.3.20, 7.4.23}: archive creation symlink following
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=81211
Whiteboard: B4 [glsa+]
Keywords:
Depends on: 815253
Blocks:
  Show dependency tree
 
Reported: 2021-08-26 19:38 UTC by John Helmert III
Modified: 2022-09-29 14:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-26 19:38:53 UTC
From URL:

When constructing PHAR/TAR archive using PharData::buildFromDirectory and PharData::buildFromIterator, file paths returned by RecursiveIteratorIterator is validated to ensure that files are from inside the specified directory: https://github.com/php/php-src/blob/aff365871aec54c9a556d7667f131b8638d20194/ext/phar/phar_object.c#L1504
However, due to the check being too lenient, it can be bypassed with the following values:
- base:  /usr/foo
- fname: /usr/foobar
or
- base:  /tmp
- fname: /var/tmp

Expected result:
----------------
UnexpectedValueException is thrown.

Fatal error: Uncaught UnexpectedValueException: Iterator RecursiveIteratorIterator returned a path "/tmp/usr/foobar/file" that is not in the base directory "/tmp/usr/foo"...

Actual result:
--------------
/tmp/usr/foobar/file (which is outside of the base directory /tmp/usr/foo) is included in archive.tar


Seems fixed in 7.3.20 and 7.4.23, so please bump.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-28 03:30:12 UTC
Please stable when ready.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-08 01:46:28 UTC
ping
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-29 02:10:36 UTC
Earliest fixed version in tree should be the one in the summary (and thus recommended as the minimum version to users to fix the vulnerability)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 14:23:18 UTC
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2022-09-29 14:48:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4447c90f117a8f0928cc5e880f3cfc9fde7ee918

commit 4447c90f117a8f0928cc5e880f3cfc9fde7ee918
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-29 14:23:13 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-29 14:48:00 +0000

    [ GLSA 202209-20 ] PHP: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/799776
    Bug: https://bugs.gentoo.org/810526
    Bug: https://bugs.gentoo.org/819510
    Bug: https://bugs.gentoo.org/833585
    Bug: https://bugs.gentoo.org/850772
    Bug: https://bugs.gentoo.org/857054
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-20.xml | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 14:52:04 UTC
GLSA released, all done!