Debian Bug report logs -
#919147
php-pear: CVE-2018-1000888
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 13 Jan 2019 08:15:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions php-pear/1:1.10.6+submodules+notgz-1, php-pear/1:1.10.1+submodules+notgz-9
Fixed in versions php-pear/1:1.10.6+submodules+notgz-1.1, php-pear/1:1.10.1+submodules+notgz-9+deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://pear.php.net/bugs/bug.php?id=23782
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#919147; Package src:php-pear.
(Sun, 13 Jan 2019 08:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>.
(Sun, 13 Jan 2019 08:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: php-pear
Version: 1:1.10.6+submodules+notgz-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://pear.php.net/bugs/bug.php?id=23782
Control: found -1 1:1.10.1+submodules+notgz-9
Hi,
The following vulnerability was published for php-pear.
CVE-2018-1000888[0]:
| PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915
| vulnerability in the Archive_Tar class. There are several file
| operations with `$v_header['filename']` as parameter (such as
| file_exists, is_file, is_dir, etc). When extract is called without a
| specific prefix path, we can trigger unserialization by crafting a tar
| file with `phar://[path_to_malicious_phar_file]` as path. Object
| injection can be used to trigger destruct in the loaded PHP classes,
| e.g. the Archive_Tar class itself. With Archive_Tar object injection,
| arbitrary file deletion can occur because
| `@unlink($this->_temp_tarname)` is called. If another class with
| useful gadget is loaded, it may possible to cause remote code
| execution that can result in files being deleted or possibly modified.
| This vulnerability appears to have been fixed in 1.4.4.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000888
[1] https://pear.php.net/bugs/bug.php?id=23782
[2] https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76
[3] https://www.exploit-db.com/exploits/46108/
Regards,
Salvatore
Marked as found in versions php-pear/1:1.10.1+submodules+notgz-9.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sun, 13 Jan 2019 08:15:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#919147; Package src:php-pear.
(Sun, 13 Jan 2019 14:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>.
(Sun, 13 Jan 2019 14:30:02 GMT) (full text, mbox, link).
Message #12 received at 919147@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 919147 + pending
Dear maintainer,
I've prepared an NMU for php-pear (versioned as
1:1.10.6+submodules+notgz-1.1) and uploaded it to DELAYED/10. Please
feel free to tell me if I should delay it longer.
Regards,
Salvatore
[php-pear-1.10.6+submodules+notgz-1.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 919147-submit@bugs.debian.org.
(Sun, 13 Jan 2019 14:30:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#919147; Package src:php-pear.
(Mon, 14 Jan 2019 08:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mathieu Parent <math.parent@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>.
(Mon, 14 Jan 2019 08:24:02 GMT) (full text, mbox, link).
Message #19 received at 919147@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Salvatore,
Please go ahead and reduce the delay !
(From phone)
Mathieu
Le dimanche 13 janvier 2019, Salvatore Bonaccorso <carnil@debian.org> a
écrit :
> Control: tags 919147 + pending
>
> Dear maintainer,
>
> I've prepared an NMU for php-pear (versioned as
> 1:1.10.6+submodules+notgz-1.1) and uploaded it to DELAYED/10. Please
> feel free to tell me if I should delay it longer.
>
> Regards,
> Salvatore
>
--
Mathieu
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#919147; Package src:php-pear.
(Mon, 14 Jan 2019 11:27:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>.
(Mon, 14 Jan 2019 11:27:08 GMT) (full text, mbox, link).
Message #24 received at 919147@bugs.debian.org (full text, mbox, reply):
Hi Mathieu,
On Mon, Jan 14, 2019 at 09:21:10AM +0100, Mathieu Parent wrote:
> Hi Salvatore,
>
> Please go ahead and reduce the delay !
Thank you, rescheduled!
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 14 Jan 2019 11:51:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 14 Jan 2019 11:51:15 GMT) (full text, mbox, link).
Message #29 received at 919147-close@bugs.debian.org (full text, mbox, reply):
Source: php-pear
Source-Version: 1:1.10.6+submodules+notgz-1.1
We believe that the bug you reported is fixed in the latest version of
php-pear, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 919147@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated php-pear package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 13 Jan 2019 11:49:26 +0100
Source: php-pear
Binary: php-pear
Architecture: source
Version: 1:1.10.6+submodules+notgz-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 919147
Description:
php-pear -
Changes:
php-pear (1:1.10.6+submodules+notgz-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Don't allow filenames to start with phar:// (CVE-2018-1000888)
(Closes: #919147)
Checksums-Sha1:
7888015e3dbf38ce7bbabdf0f03209f5c864d3d4 2252 php-pear_1.10.6+submodules+notgz-1.1.dsc
87e00467d5652a1131cc26c3475d67063fb28d86 6412 php-pear_1.10.6+submodules+notgz-1.1.debian.tar.xz
Checksums-Sha256:
c7b4286a89a6f3fe1d2f749288229385b438ea40d28ddf1712369c184c8dafc2 2252 php-pear_1.10.6+submodules+notgz-1.1.dsc
bd37338b4195b0aad53073b0c9a93e8ad00ffc06f4488fd82b41bd257a3faa91 6412 php-pear_1.10.6+submodules+notgz-1.1.debian.tar.xz
Files:
ce9f3201b933828a0fd1408f4d90efb7 2252 php optional php-pear_1.10.6+submodules+notgz-1.1.dsc
f7b51334a952e133fb5a2e264befd3ff 6412 php optional php-pear_1.10.6+submodules+notgz-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlw7SjhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EZIcQAIrHIA4CkfHypYHGyOyVqz1wIL5yrDn5
nllnRt5CI/qXIc3QI47BbaOKLL/gTnFEwedu9p3nwWyyUeK4jcbfnkWRYQ+e8dce
eA83VP28ikbMprjz2U1CJ9eod+vkdYw8FkKcKd0Opw0Oo7r5s8cXm8j5hz3uLAQu
7++749shZd6e1SkInpYtIPl3i2B0YOxLpOMUQMZiR1Aa/xDTHwdAhm+qhQ9564pZ
SlXTEqoQlVY7YyWdBhfcz20h4yLP7oz5upNzmU9o+rGHmT2W+gSZyQo4txz4fLO5
OZkUWQTyUZ+D4ju8jKyPqo9DrbY9iAXriuxsFJdvwC0bJh+y61VwaLXNST7lkYEP
l3QUp3cmSakdMPYDd3o18XnRSuBYuJ7tgRf9c34IDZhY5Lw3bk5r2JGx6teKGhYo
TwT7QlpiOHXuFLfCMXIg4HGKxTtYxwQKTpDeSokYz+aq4VzeMnDg73dIi2OAFyoY
XY63mXNptL+zQbMA4hQcWADd5NmIL6aAmM4SbS3xDM31PuKIPsGC+nbvzOhsK2Xh
rNdYlbPAUXV9H0kUC9tdzCGmD5UZUxL2Nu9WDsgx4F7TeVD+uWeL1QKuf5QY7vYY
izv1yN/xvL0t9dzE42APtq/u45sRQ29VXFDLP3q38Kg/7zqymDkVYzX49l2Ibhqs
SQCBvSr9NEQr
=Aoc1
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 01 Feb 2019 23:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 01 Feb 2019 23:06:03 GMT) (full text, mbox, link).
Message #34 received at 919147-close@bugs.debian.org (full text, mbox, reply):
Source: php-pear
Source-Version: 1:1.10.1+submodules+notgz-9+deb9u1
We believe that the bug you reported is fixed in the latest version of
php-pear, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 919147@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated php-pear package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 22 Jan 2019 23:09:37 +0100
Source: php-pear
Binary: php-pear
Architecture: source
Version: 1:1.10.1+submodules+notgz-9+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 919147
Description:
php-pear - ${phppear:summary}
Changes:
php-pear (1:1.10.1+submodules+notgz-9+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Don't allow filenames to start with phar:// (CVE-2018-1000888)
(Closes: #919147)
Checksums-Sha1:
b5ed0c39764d003413c9ae45a14a2344db38828b 2242 php-pear_1.10.1+submodules+notgz-9+deb9u1.dsc
2068ba0928735d7f66640509c2aa5eadd9dfcf58 2177157 php-pear_1.10.1+submodules+notgz.orig.tar.gz
e18cc8e05526afbd85f7ef488ae39766311f595f 6380 php-pear_1.10.1+submodules+notgz-9+deb9u1.debian.tar.xz
Checksums-Sha256:
d9d6f8b8eadd5ae702653c73f843706e12bb8b3ea56ecec2ad863f353fb199f1 2242 php-pear_1.10.1+submodules+notgz-9+deb9u1.dsc
a9ec24292beb2a8caf1b42c0ed801d0105afc63c7dcc57449f12e54caecc815c 2177157 php-pear_1.10.1+submodules+notgz.orig.tar.gz
586b6dc3d7f2739a87fa30d160d1de58f5e58e981c95a68a284942e635e5cc74 6380 php-pear_1.10.1+submodules+notgz-9+deb9u1.debian.tar.xz
Files:
0e93a1b3f4c0c745b0c2f6cf7b5904ba 2242 php optional php-pear_1.10.1+submodules+notgz-9+deb9u1.dsc
e73efe8df9b6824fb1d1759cc5311012 2177157 php optional php-pear_1.10.1+submodules+notgz.orig.tar.gz
3edadac2babe64b363c0dd5e5e3ed0d8 6380 php optional php-pear_1.10.1+submodules+notgz-9+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxHlcBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EKHEP/jSj3wxF5iUjKLrmVR1DwVdOlzcxW3Lf
zmtqmSYH3hXhsHlC1ivzc/i6QghPOigCYVuwpVnk48+mu2/lM5KtwCRQ/4IVcuxb
F5CaMO2/ByJJDMJM0bQTXl2ajPgrEEjnOY2cuBWamblANnFirNEWpB3GkMeZ4R5N
qHN9PfYnjkbdPnyB1dz6AhMnG8MGRsnqUGys8rFps53kKIaHZjVjv6ifDmA8LE8C
Ci1zqzxBfNSebX5i2GiT5ME9Q8Vx6yRVQtjgykhpMO8lCbpO8GlwgIFR/1q9oX6R
ZAwpJq89+TH50r4u6DBLIjCen/8XLkCQMUQ/Twpm0rWgw2w9A/yZAbSZ+S6pY4Xt
6jdCl2aYydEMpCRYan8AnEN7egf1l254kGo2RkCseTd1H4iUpSE1zxJ8EVSnarrT
0XoRZydpo+/MJmYisHcRwqAJIdjHThfx/tkoLa+KFljSacw+Bv/Yj7DXJ01MmHe+
7zRnYHraq1JAoAUXTFXtYhb9ktULX9ec1v97zGqlEwGLrN+TFYJzpmJA0UXhNK+l
KFlZRSo9729d/BoA3sgpsDROPdM+0MjQjmaOh9peNkvMtUfgUYWKMXiua15KH5nb
HzY+2sB3+py2Aw9Z++N11oYfh4gkO6AqP1WAt41dn3uK0+gGWLTH+Y2+7LlFt1Io
Y9XoUtpnbedz
=eMqm
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 02 Mar 2019 07:29:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:08:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon