Bug 1669615 (CVE-2018-1000888) - CVE-2018-1000888 php-pear: Unsafe deserialization of data in Archive_Tar class
Summary: CVE-2018-1000888 php-pear: Unsafe deserialization of data in Archive_Tar class
Status: NEW
Alias: CVE-2018-1000888
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181228,repor...
Keywords: Security
Depends On: 1684509 1684510 1684511 1684512 1684520 1669616
Blocks: 1669617
TreeView+ depends on / blocked
 
Reported: 2019-01-25 19:30 UTC by Pedro Sampaio
Modified: 2019-06-08 23:49 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-01-25 19:30:14 UTC
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.

Upstream bug:

https://pear.php.net/bugs/bug.php?id=23782

Upstream patch:

https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76

References:

https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
https://blog.ripstech.com/2018/new-php-exploitation-technique/

Comment 1 Pedro Sampaio 2019-01-25 19:30:25 UTC
Created php-pear tracking bugs for this issue:

Affects: fedora-all [bug 1669616]

Comment 4 Stefan Cornelius 2019-03-01 12:30:10 UTC
Statement:

This issue affects the versions of php-pear as shipped with Red Hat Enterprise Linux 6 and 7.

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue did not affect the versions of php-pear as shipped with Red Hat Enterprise Linux 5.


Note You need to log in before you can comment on or make changes to this bug.