Debian Bug report logs -
#368545
php-pear: CVE-2006-0931: PEAR::Archive_Tar directory traversal vulnerability
Reported by: Alec Berryman <alec@thened.net>
Date: Mon, 22 May 2006 22:48:02 UTC
Severity: important
Tags: security
Done: sean finney <seanius@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#368545; Package php-pear.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php-pear
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-0931: "Directory traversal vulnerability in PEAR::Archive_Tar
1.2 allows remote attackers to create and overwrite arbitrary files via
certain crafted pathnames in a TAR archive."
This is PEAR bug 6933 [1] and appears unfixed upstream; the bug is open
and there has not been a new release in 2006. I presume that Debian's
version is affected, but have not tested. Unfortunately, the advisory
[2] does not include steps to reproduce, but rather has a vague link to
a utility to create sample malicious archives.
sarge and woody's php4-pear also contain PEAR::Archive_Tar.
Please include the CVE in your changelog.
Thanks,
Alec
[1] http://pear.php.net/bugs/bug.php?id=6933
[2] http://www.hamid.ir/security/phptar.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEcjxyAud/2YgchcQRAoL8AJ9l4zPHnlbuKk7pO2of3166koYnEACgltp0
pXpzZX1K7xsn2njzqsasPRo=
=ZYKt
-----END PGP SIGNATURE-----
Reply sent to sean finney <seanius@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 368545-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
hi alec,
examining this CVE report further, and discussing it with the security
team, the consensus is that this is not a vulnerability in php. the
attack vector is a just-so-slightly refactored input-sanitizing attack.
it is the responsibility of the application in question to ensure that
it does not do anything it shouldn't with the tarfiles in question, not
the php engine's.
however, if there are packages in debian using Archive::Tar, they should
certainly be inspected for this kind of vulnerability.
thanks,
sean
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 05:33:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:03:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon