1808536 – (CVE-2020-7063) CVE-2020-7063 php: Files added to tar with Phar::buildFromIterator have all-access permissions

Bug 1808536 (CVE-2020-7063) - CVE-2020-7063 php: Files added to tar with Phar::buildFromIterator have all-access permissions

Summary: CVE-2020-7063 php: Files added to tar with Phar::buildFromIterator have all-a...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-7063
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1808537 1810261 1810262 1810263 1810264 1810265 1857712
Blocks:	1808539
TreeView+	depends on / blocked

Reported:	2020-02-28 18:29 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-12-15 17:25 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-08 13:19:01 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:3662	0	None	None	None	2020-09-08 09:47:17 UTC
Red Hat Product Errata	RHSA-2020:5275	0	None	None	None	2020-12-01 12:03:23 UTC

Description Guilherme de Almeida Suckevicz 2020-02-28 18:29:23 UTC

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.

Reference:
https://bugs.php.net/bug.php?id=79082

Comment 1 Guilherme de Almeida Suckevicz 2020-02-28 18:29:40 UTC

Created php tracking bugs for this issue:

Affects: fedora-all [bug 1808537]

Comment 4 Marco Benatto 2020-03-04 20:09:04 UTC

Upstream commit for this issue:
http://git.php.net/?p=php-src.git;a=commit;h=e5c95234d87fcb8f6b7569a96a89d1e1544749a6

Comment 9 errata-xmlrpc 2020-09-08 09:47:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662

Comment 10 Product Security DevOps Team 2020-09-08 13:19:01 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7063

Comment 11 errata-xmlrpc 2020-12-01 12:03:19 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:5275 https://access.redhat.com/errata/RHSA-2020:5275

Note You need to log in before you can comment on or make changes to this bug.