Bug#919147: php-pear: diff for NMU version 1:1.10.6+submodules+notgz-1.1

Sun, 13 Jan 2019 06:30:25 -0800 

Control: tags 919147 + pending

Dear maintainer,

I've prepared an NMU for php-pear (versioned as
1:1.10.6+submodules+notgz-1.1) and uploaded it to DELAYED/10. Please
feel free to tell me if I should delay it longer.

Regards,
Salvatore

diff -Nru php-pear-1.10.6+submodules+notgz/debian/changelog php-pear-1.10.6+submodules+notgz/debian/changelog
--- php-pear-1.10.6+submodules+notgz/debian/changelog	2018-10-01 14:15:44.000000000 +0200
+++ php-pear-1.10.6+submodules+notgz/debian/changelog	2019-01-13 11:49:26.000000000 +0100
@@ -1,3 +1,11 @@
+php-pear (1:1.10.6+submodules+notgz-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Don't allow filenames to start with phar:// (CVE-2018-1000888)
+    (Closes: #919147)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sun, 13 Jan 2019 11:49:26 +0100
+
 php-pear (1:1.10.6+submodules+notgz-1) unstable; urgency=medium
 
   * Update PEAR to 10.1.6
diff -Nru php-pear-1.10.6+submodules+notgz/debian/patches/0003-Don-t-allow-filenames-to-start-with-phar.patch php-pear-1.10.6+submodules+notgz/debian/patches/0003-Don-t-allow-filenames-to-start-with-phar.patch
--- php-pear-1.10.6+submodules+notgz/debian/patches/0003-Don-t-allow-filenames-to-start-with-phar.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-pear-1.10.6+submodules+notgz/debian/patches/0003-Don-t-allow-filenames-to-start-with-phar.patch	2019-01-13 11:49:26.000000000 +0100
@@ -0,0 +1,23 @@
+From: Michiel Rook <mr...@php.net>
+Date: Thu, 20 Dec 2018 19:11:37 +0100
+Subject: Don't allow filenames to start with phar://
+Origin: https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000888
+Bug-Debian: https://bugs.debian.org/919147
+Bug: https://pear.php.net/bugs/bug.php?id=23782
+
+---
+
+index 0bd1c6caae99..57a6d87f5b16 100644
+--- a/submodules/Archive_Tar/Archive/Tar.php
++++ b/submodules/Archive_Tar/Archive/Tar.php
+@@ -1767,6 +1767,9 @@ class Archive_Tar extends PEAR
+      */
+     private function _maliciousFilename($file)
+     {
++        if (strpos($file, 'phar://') === 0) {
++            return true;
++        }
+         if (strpos($file, '/../') !== false) {
+             return true;
+         }
diff -Nru php-pear-1.10.6+submodules+notgz/debian/patches/series php-pear-1.10.6+submodules+notgz/debian/patches/series
--- php-pear-1.10.6+submodules+notgz/debian/patches/series	2018-10-01 14:15:44.000000000 +0200
+++ php-pear-1.10.6+submodules+notgz/debian/patches/series	2019-01-13 11:49:26.000000000 +0100
@@ -1,2 +1,3 @@
 0001-pecl-command-needs-to-run-without-n-to-pickup-defaul.patch
 0002-Fix-PECL-extensions-FTBFS-with-PHP-Fatal-error-Call-.patch
+0003-Don-t-allow-filenames-to-start-with-phar.patch

Reply via email to