CVE-2018-1000888

Опубликовано: 28 дек. 2018

Источник: redhat

CVSS3: 8.1

Описание

PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with $v_header['filename'] as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with phar://[path_to_malicious_phar_file] as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because @unlink($this->_temp_tarname) is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.

Отчет

This issue affects the versions of php-pear as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. This issue did not affect the versions of php-pear as shipped with Red Hat Enterprise Linux 5. The vulnerable version of php-pear on Red Hat Enterprise Linux 8 is deprecated as well.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 5	php-pear	Not affected
Red Hat Enterprise Linux 6	php-pear	Will not fix
Red Hat Enterprise Linux 7	php-pear	Will not fix
Red Hat Enterprise Linux 8	php-pear	Will not fix
Red Hat Software Collections	rh-php70-php-pear	Out of support scope
Red Hat Software Collections	rh-php71-php-pear	Out of support scope
Red Hat Software Collections	rh-php72-php-pear	Out of support scope
Red Hat Software Collections	rh-php73-php-pear	Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-502

https://bugzilla.redhat.com/show_bug.cgi?id=1669615php-pear: Unsafe deserialization of data in Archive_Tar class

8.1 High

CVSS3

Связанные уязвимости

CVE-2018-1000888

CVSS3: 8.8

ubuntu

около 7 лет назад

PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.