Bug 1669615 (CVE-2018-1000888)

Summary: CVE-2018-1000888 php-pear: Unsafe deserialization of data in Archive_Tar class
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, fedora, hhorak, jorton, rcollet
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Archive_Tar 1.4.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:54:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1669616, 1684509, 1684510, 1684511, 1684512, 1684520    
Bug Blocks: 1669617    

Description Pedro Sampaio 2019-01-25 19:30:14 UTC 
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.

Upstream bug:

https://pear.php.net/bugs/bug.php?id=23782

Upstream patch:

https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76

References:

https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
https://blog.ripstech.com/2018/new-php-exploitation-technique/
Comment 1 Pedro Sampaio 2019-01-25 19:30:25 UTC 
Created php-pear tracking bugs for this issue:

Affects: fedora-all [bug 1669616]
Comment 4 Stefan Cornelius 2019-03-01 12:30:10 UTC 
Statement:

This issue affects the versions of php-pear as shipped with Red Hat Enterprise Linux 6 and 7.

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue did not affect the versions of php-pear as shipped with Red Hat Enterprise Linux 5.