Bug 1418771 (CVE-2017-5630)

Summary: CVE-2017-5630 php-pear: File overwrite by malicious server
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, hhorak, jorton, rcollet, rpm, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in php-pear where if a malicious server responded to a pear
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-06 07:08:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1418773    
Bug Blocks: 1418772    

Description Andrej Nemec 2017-02-02 16:54:02 UTC
PECL in the download utility class in the Installer in PEAR Base System
v1.10.1 does not validate file types and filenames after a redirect,
which allows remote HTTP servers to overwrite files via crafted
responses, as demonstrated by a .htaccess overwrite.

Upstream bug:


Comment 1 Andrej Nemec 2017-02-02 16:56:06 UTC
Created php-pear tracking bugs for this issue:

Affects: fedora-all [bug 1418773]

Comment 3 Doran Moppert 2017-04-06 07:07:07 UTC

This vulnerability only allows files in the current directory to be overwritten, so using `pear download` in a temporary directory effectively mitigates the risk of a dangerous file overwrite occurring.

Comment 4 Doran Moppert 2017-04-06 07:07:16 UTC

Since pear's purpose is to download libraries for inclusion in an application, any use of `pear install` or `pear download` implicitly trusts the server. This vulnerability does not significantly extend the trust already given to pear and to servers used with it.