Your message dated Mon, 14 Jan 2019 11:47:56 +0000 with message-id <e1gj0ii-0003wj...@fasolo.debian.org> and subject line Bug#919147: fixed in php-pear 1:1.10.6+submodules+notgz-1.1 has caused the Debian Bug report #919147, regarding php-pear: CVE-2018-1000888 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 919147: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919147 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-pear Version: 1:1.10.6+submodules+notgz-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://pear.php.net/bugs/bug.php?id=23782 Control: found -1 1:1.10.1+submodules+notgz-9 Hi, The following vulnerability was published for php-pear. CVE-2018-1000888[0]: | PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 | vulnerability in the Archive_Tar class. There are several file | operations with `$v_header['filename']` as parameter (such as | file_exists, is_file, is_dir, etc). When extract is called without a | specific prefix path, we can trigger unserialization by crafting a tar | file with `phar://[path_to_malicious_phar_file]` as path. Object | injection can be used to trigger destruct in the loaded PHP classes, | e.g. the Archive_Tar class itself. With Archive_Tar object injection, | arbitrary file deletion can occur because | `@unlink($this->_temp_tarname)` is called. If another class with | useful gadget is loaded, it may possible to cause remote code | execution that can result in files being deleted or possibly modified. | This vulnerability appears to have been fixed in 1.4.4. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1000888 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000888 [1] https://pear.php.net/bugs/bug.php?id=23782 [2] https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76 [3] https://www.exploit-db.com/exploits/46108/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-pear Source-Version: 1:1.10.6+submodules+notgz-1.1 We believe that the bug you reported is fixed in the latest version of php-pear, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 919...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated php-pear package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 13 Jan 2019 11:49:26 +0100 Source: php-pear Binary: php-pear Architecture: source Version: 1:1.10.6+submodules+notgz-1.1 Distribution: unstable Urgency: medium Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 919147 Description: php-pear - Changes: php-pear (1:1.10.6+submodules+notgz-1.1) unstable; urgency=medium . * Non-maintainer upload. * Don't allow filenames to start with phar:// (CVE-2018-1000888) (Closes: #919147) Checksums-Sha1: 7888015e3dbf38ce7bbabdf0f03209f5c864d3d4 2252 php-pear_1.10.6+submodules+notgz-1.1.dsc 87e00467d5652a1131cc26c3475d67063fb28d86 6412 php-pear_1.10.6+submodules+notgz-1.1.debian.tar.xz Checksums-Sha256: c7b4286a89a6f3fe1d2f749288229385b438ea40d28ddf1712369c184c8dafc2 2252 php-pear_1.10.6+submodules+notgz-1.1.dsc bd37338b4195b0aad53073b0c9a93e8ad00ffc06f4488fd82b41bd257a3faa91 6412 php-pear_1.10.6+submodules+notgz-1.1.debian.tar.xz Files: ce9f3201b933828a0fd1408f4d90efb7 2252 php optional php-pear_1.10.6+submodules+notgz-1.1.dsc f7b51334a952e133fb5a2e264befd3ff 6412 php optional php-pear_1.10.6+submodules+notgz-1.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlw7SjhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EZIcQAIrHIA4CkfHypYHGyOyVqz1wIL5yrDn5 nllnRt5CI/qXIc3QI47BbaOKLL/gTnFEwedu9p3nwWyyUeK4jcbfnkWRYQ+e8dce eA83VP28ikbMprjz2U1CJ9eod+vkdYw8FkKcKd0Opw0Oo7r5s8cXm8j5hz3uLAQu 7++749shZd6e1SkInpYtIPl3i2B0YOxLpOMUQMZiR1Aa/xDTHwdAhm+qhQ9564pZ SlXTEqoQlVY7YyWdBhfcz20h4yLP7oz5upNzmU9o+rGHmT2W+gSZyQo4txz4fLO5 OZkUWQTyUZ+D4ju8jKyPqo9DrbY9iAXriuxsFJdvwC0bJh+y61VwaLXNST7lkYEP l3QUp3cmSakdMPYDd3o18XnRSuBYuJ7tgRf9c34IDZhY5Lw3bk5r2JGx6teKGhYo TwT7QlpiOHXuFLfCMXIg4HGKxTtYxwQKTpDeSokYz+aq4VzeMnDg73dIi2OAFyoY XY63mXNptL+zQbMA4hQcWADd5NmIL6aAmM4SbS3xDM31PuKIPsGC+nbvzOhsK2Xh rNdYlbPAUXV9H0kUC9tdzCGmD5UZUxL2Nu9WDsgx4F7TeVD+uWeL1QKuf5QY7vYY izv1yN/xvL0t9dzE42APtq/u45sRQ29VXFDLP3q38Kg/7zqymDkVYzX49l2Ibhqs SQCBvSr9NEQr =Aoc1 -----END PGP SIGNATURE-----
--- End Message ---
