Source: php-pear Version: 1:1.10.6+submodules+notgz-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://pear.php.net/bugs/bug.php?id=23782 Control: found -1 1:1.10.1+submodules+notgz-9
Hi, The following vulnerability was published for php-pear. CVE-2018-1000888[0]: | PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 | vulnerability in the Archive_Tar class. There are several file | operations with `$v_header['filename']` as parameter (such as | file_exists, is_file, is_dir, etc). When extract is called without a | specific prefix path, we can trigger unserialization by crafting a tar | file with `phar://[path_to_malicious_phar_file]` as path. Object | injection can be used to trigger destruct in the loaded PHP classes, | e.g. the Archive_Tar class itself. With Archive_Tar object injection, | arbitrary file deletion can occur because | `@unlink($this->_temp_tarname)` is called. If another class with | useful gadget is loaded, it may possible to cause remote code | execution that can result in files being deleted or possibly modified. | This vulnerability appears to have been fixed in 1.4.4. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1000888 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000888 [1] https://pear.php.net/bugs/bug.php?id=23782 [2] https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76 [3] https://www.exploit-db.com/exploits/46108/ Regards, Salvatore
