Your message dated Fri, 01 Feb 2019 23:03:26 +0000 with message-id <e1gphqi-0009n6...@fasolo.debian.org> and subject line Bug#919147: fixed in php-pear 1:1.10.1+submodules+notgz-9+deb9u1 has caused the Debian Bug report #919147, regarding php-pear: CVE-2018-1000888 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 919147: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919147 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-pear Version: 1:1.10.6+submodules+notgz-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://pear.php.net/bugs/bug.php?id=23782 Control: found -1 1:1.10.1+submodules+notgz-9 Hi, The following vulnerability was published for php-pear. CVE-2018-1000888[0]: | PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 | vulnerability in the Archive_Tar class. There are several file | operations with `$v_header['filename']` as parameter (such as | file_exists, is_file, is_dir, etc). When extract is called without a | specific prefix path, we can trigger unserialization by crafting a tar | file with `phar://[path_to_malicious_phar_file]` as path. Object | injection can be used to trigger destruct in the loaded PHP classes, | e.g. the Archive_Tar class itself. With Archive_Tar object injection, | arbitrary file deletion can occur because | `@unlink($this->_temp_tarname)` is called. If another class with | useful gadget is loaded, it may possible to cause remote code | execution that can result in files being deleted or possibly modified. | This vulnerability appears to have been fixed in 1.4.4. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1000888 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000888 [1] https://pear.php.net/bugs/bug.php?id=23782 [2] https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76 [3] https://www.exploit-db.com/exploits/46108/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-pear Source-Version: 1:1.10.1+submodules+notgz-9+deb9u1 We believe that the bug you reported is fixed in the latest version of php-pear, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 919...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated php-pear package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 22 Jan 2019 23:09:37 +0100 Source: php-pear Binary: php-pear Architecture: source Version: 1:1.10.1+submodules+notgz-9+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 919147 Description: php-pear - ${phppear:summary} Changes: php-pear (1:1.10.1+submodules+notgz-9+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Don't allow filenames to start with phar:// (CVE-2018-1000888) (Closes: #919147) Checksums-Sha1: b5ed0c39764d003413c9ae45a14a2344db38828b 2242 php-pear_1.10.1+submodules+notgz-9+deb9u1.dsc 2068ba0928735d7f66640509c2aa5eadd9dfcf58 2177157 php-pear_1.10.1+submodules+notgz.orig.tar.gz e18cc8e05526afbd85f7ef488ae39766311f595f 6380 php-pear_1.10.1+submodules+notgz-9+deb9u1.debian.tar.xz Checksums-Sha256: d9d6f8b8eadd5ae702653c73f843706e12bb8b3ea56ecec2ad863f353fb199f1 2242 php-pear_1.10.1+submodules+notgz-9+deb9u1.dsc a9ec24292beb2a8caf1b42c0ed801d0105afc63c7dcc57449f12e54caecc815c 2177157 php-pear_1.10.1+submodules+notgz.orig.tar.gz 586b6dc3d7f2739a87fa30d160d1de58f5e58e981c95a68a284942e635e5cc74 6380 php-pear_1.10.1+submodules+notgz-9+deb9u1.debian.tar.xz Files: 0e93a1b3f4c0c745b0c2f6cf7b5904ba 2242 php optional php-pear_1.10.1+submodules+notgz-9+deb9u1.dsc e73efe8df9b6824fb1d1759cc5311012 2177157 php optional php-pear_1.10.1+submodules+notgz.orig.tar.gz 3edadac2babe64b363c0dd5e5e3ed0d8 6380 php optional php-pear_1.10.1+submodules+notgz-9+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxHlcBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EKHEP/jSj3wxF5iUjKLrmVR1DwVdOlzcxW3Lf zmtqmSYH3hXhsHlC1ivzc/i6QghPOigCYVuwpVnk48+mu2/lM5KtwCRQ/4IVcuxb F5CaMO2/ByJJDMJM0bQTXl2ajPgrEEjnOY2cuBWamblANnFirNEWpB3GkMeZ4R5N qHN9PfYnjkbdPnyB1dz6AhMnG8MGRsnqUGys8rFps53kKIaHZjVjv6ifDmA8LE8C Ci1zqzxBfNSebX5i2GiT5ME9Q8Vx6yRVQtjgykhpMO8lCbpO8GlwgIFR/1q9oX6R ZAwpJq89+TH50r4u6DBLIjCen/8XLkCQMUQ/Twpm0rWgw2w9A/yZAbSZ+S6pY4Xt 6jdCl2aYydEMpCRYan8AnEN7egf1l254kGo2RkCseTd1H4iUpSE1zxJ8EVSnarrT 0XoRZydpo+/MJmYisHcRwqAJIdjHThfx/tkoLa+KFljSacw+Bv/Yj7DXJ01MmHe+ 7zRnYHraq1JAoAUXTFXtYhb9ktULX9ec1v97zGqlEwGLrN+TFYJzpmJA0UXhNK+l KFlZRSo9729d/BoA3sgpsDROPdM+0MjQjmaOh9peNkvMtUfgUYWKMXiua15KH5nb HzY+2sB3+py2Aw9Z++N11oYfh4gkO6AqP1WAt41dn3uK0+gGWLTH+Y2+7LlFt1Io Y9XoUtpnbedz =eMqm -----END PGP SIGNATURE-----
--- End Message ---
