Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 675576 (CVE-2018-1000888) - <dev-php/PEAR-Archive_Tar-1.4.5: remote code execution vulnerability
Summary: <dev-php/PEAR-Archive_Tar-1.4.5: remote code execution vulnerability
Alias: CVE-2018-1000888
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa+ cve]
Depends on:
Reported: 2019-01-16 12:29 UTC by Eddie Chapman
Modified: 2020-06-15 15:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Eddie Chapman 2019-01-16 12:29:18 UTC
From MITRE CVE entry:

"PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4."

Other references:

Please note the vulnerability is reported as being fixed in 1.4.4, but 1.4.4 introduced a regression so a further release (1.4.5) was made (see ).

So of course the overall solution is to bump to the latest version 1.4.5.

Reproducible: Didn't try
Comment 1 Larry the Git Cow gentoo-dev 2019-01-16 14:57:16 UTC
The bug has been referenced in the following commit(s):

commit ca18a3ab3298533a4d2b035018f738f8cb4df5ad
Author:     Brian Evans <>
AuthorDate: 2019-01-16 14:56:53 +0000
Commit:     Brian Evans <>
CommitDate: 2019-01-16 14:56:53 +0000

    dev-php/PEAR-Archive_Tar: Version bump for 1.4.5
    Package-Manager: Portage-2.3.56, Repoman-2.3.12
    Signed-off-by: Brian Evans <>

 dev-php/PEAR-Archive_Tar/Manifest                  |  1 +
 .../PEAR-Archive_Tar/PEAR-Archive_Tar-1.4.5.ebuild | 31 ++++++++++++++++++++++
 2 files changed, 32 insertions(+)
Comment 2 Brian Evans Gentoo Infrastructure gentoo-dev 2019-01-16 15:00:27 UTC
Please test and mark stable

As this is pure PHP text code, the ALLARCHES policy applies
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-01-24 22:26:31 UTC
All arches done.
Comment 4 Larry the Git Cow gentoo-dev 2019-01-24 23:30:25 UTC
The bug has been referenced in the following commit(s):

commit 5a158d06fe1dca9963ddbf792635adcbae1f6f73
Author:     Brian Evans <>
AuthorDate: 2019-01-24 23:30:11 +0000
Commit:     Brian Evans <>
CommitDate: 2019-01-24 23:30:11 +0000

    dev-php/PEAR-Archive_Tar: Drop vulnerable version
    Package-Manager: Portage-2.3.57, Repoman-2.3.12
    Signed-off-by: Brian Evans <>

 dev-php/PEAR-Archive_Tar/Manifest                  |  1 -
 .../PEAR-Archive_Tar/PEAR-Archive_Tar-1.4.3.ebuild | 31 ----------------------
 2 files changed, 32 deletions(-)
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2019-03-11 02:08:37 UTC
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
Comment 6 NATTkA bot gentoo-dev 2020-04-06 15:16:39 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-06-15 15:46:44 UTC
This issue was resolved and addressed in
 GLSA 202006-14 at
by GLSA coordinator Aaron Bauman (b-man).