Bug 28166

Summary: php-pear new security issue in Archive_Tar (CVE-2020-36193)
Product: Mageia Reporter: Marc Krämer <mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: php-pear-1.10.9-1.1.mga7.src.rpm CVE:
Status comment:

Description Marc Krämer 2021-01-19 13:40:47 CET 
Symlink out-of-path write vulnerability (CVE-2020-36193)
Marc Krämer 2021-01-19 13:40:54 CET

QA Contact: (none) => security
Component: RPM Packages => Security

Comment 1 Marc Krämer 2021-01-19 13:46:08 CET 
Updated php-pear packages fix a security vulnerability in component Archive_tar:

- Symlink out-of-path write vulnerability (CVE-2020-36193)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193
========================

Updated packages in core/updates_testing:
========================
php-pear-1.10.9-1.2.mga7.noarch.rpm

SRPM:
php-pear-1.10.9-1.2.mga7.src.rpm

Assignee: mageia => qa-bugs

David Walser 2021-01-19 14:35:26 CET

Summary: php: Security issue in Archive_tar => php-pear new security issue in Archive_tar (CVE-2020-36193)
Source RPM: php-pear => php-pear-1.10.9-1.1.mga7.src.rpm

David Walser 2021-01-19 14:35:44 CET

Summary: php-pear new security issue in Archive_tar (CVE-2020-36193) => php-pear new security issue in Archive_Tar (CVE-2020-36193)

Comment 2 David Walser 2021-01-29 19:10:25 CET 
Fedora has issued an advisory for this on January 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/
Comment 3 Marc Krämer 2021-01-30 12:11:12 CET 
... still waiting for validation....
Comment 4 Len Lawrence 2021-01-30 22:53:25 CET 
Mageia 7, x64

No PoC that I can see.
Updated the package.

Don't know much about php so just a few entry-level commands.

$ pear version
PEAR Version: @pear_version@
PHP Version: 7.3.26
Zend Engine Version: 3.3.26
Running on: Linux canopus 5.10.12-desktop-1.mga7 #1 SMP Sat Jan 30 14:29:33 UTC 2021 x86_64

$ pear config-get php_dir
/usr/share/pear
$ php --ini
Configuration File (php.ini) Path: /etc
Loaded Configuration File:         /etc/php.ini
Scan for additional .ini files in: /etc/php.d
Additional .ini files parsed:      /etc/php.d/05_assertion.ini,
/etc/php.d/05_date.ini,
/etc/php.d/05_mail.ini,
/etc/php.d/05_pcre.ini,
[...]
/etc/php.d/81_filter.ini,
/etc/php.d/82_json.ini

$ php -S localhost:8000 -t php
PHP 7.3.26 Development Server started at Sat Jan 30 21:24:11 2021
Listening on http://localhost:8000
Document root is /home/lcl/dev/php

$ cat check_pear.php
<?php
require_once 'System.php';
var_dump(class_exists('System', false));
?>
$ php check_pear.php
bool(true)
$ pear config-set preferred_state beta
config-set succeeded

https://pear.php.net/manual/en/guide.users.commandline.installing.php

$ pear install --onlyreqdeps html_page2
No releases available for package "pear.php.net/html_page2"
install failed
$ pear install Graph
No releases available for package "pear.php.net/Graph"
install failed

Have to leave it there - don't know any php package names.
Looks like php-pear is set up properly and it sort of works.

Giving this an OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 5 Len Lawrence 2021-01-30 23:03:52 CET 
Found a package repository but was unable to make any headway.

$ pear install sebastian/comparator
Attempting to discover channel "sebastian"...
downloading channel.xml ...
Starting to download channel.xml (Unknown size)
....done: 914 bytes
unknown channel "sebastian" in "sebastian/comparator"
invalid package name/package file "sebastian/comparator"
install failed
$ pear install comparator
No releases available for package "pear.php.net/comparator"
install failed
Comment 6 Dave Hodgins 2021-01-31 01:32:06 CET 
validating based on comment 4

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Thomas Backlund 2021-01-31 21:52:38 CET

Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-01-31 22:35:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0060.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED