Package: php-pear Version: 5.2.0-8+etch7 Severity: grave Tags: patch security
Hello, Overview: ========= Lack of validation of the install-as attribute in package.xml version 1.0 and of the <install> tag in package.xml version 2.0 allows attackers to install files in any location and possibly overwrite crucial system files if the PEAR Installer is running as a privileged user. Vendor advisory: http://pear.php.net/advisory-20070507.txt CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2519 I attach a patch backported by Ubuntu for this security issue. Regards, -- Gregory Colpart <[EMAIL PROTECTED]> GnuPG:1024D/C1027A0E Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
diff -uNrp PEAR-1.5.3/PEAR/Installer.php PEAR-1.5.4/PEAR/Installer.php --- PEAR-1.5.3/PEAR/Installer.php 2007-04-18 20:01:48.000000000 -0700 +++ PEAR-1.5.4/PEAR/Installer.php 2007-05-07 21:10:49.000000000 -0700 @@ -292,6 +292,9 @@ class PEAR_Installer extends PEAR_Downlo $installedas_dest_file = $installedas_dest_dir . DIRECTORY_SEPARATOR . '.tmp' . basename($final_dest_file); } $dest_dir = dirname($final_dest_file); + if (preg_match('~/\.\.(/|\\z)|^\.\./~', str_replace('\\', '/', $dest_file))) { + return $this->raiseError("SECURITY ERROR: file $file (installed to $dest_file) contains parent directory reference ..", PEAR_INSTALLER_FAILED); + } $dest_file = $dest_dir . DIRECTORY_SEPARATOR . '.tmp' . basename($final_dest_file); // }}} @@ -482,6 +485,9 @@ class PEAR_Installer extends PEAR_Downlo } else { list($save_destdir, $dest_dir, $dest_file, $orig_file) = $info; } + if (preg_match('~/\.\.(/|\\z)|^\.\./~', str_replace('\\', '/', $dest_file))) { + return $this->raiseError("SECURITY ERROR: file $file (installed to $dest_file) contains parent directory reference ..", PEAR_INSTALLER_FAILED); + } $final_dest_file = $installed_as = $dest_file; if (isset($this->_options['packagingroot'])) { $final_dest_file = $this->_prependPath($final_dest_file,