Symlink out-of-path write vulnerability (CVE-2020-36193)
QA Contact: (none) => securityComponent: RPM Packages => Security
Updated php-pear packages fix a security vulnerability in component Archive_tar: - Symlink out-of-path write vulnerability (CVE-2020-36193) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193 ======================== Updated packages in core/updates_testing: ======================== php-pear-1.10.9-1.2.mga7.noarch.rpm SRPM: php-pear-1.10.9-1.2.mga7.src.rpm
Assignee: mageia => qa-bugs
Summary: php: Security issue in Archive_tar => php-pear new security issue in Archive_tar (CVE-2020-36193)Source RPM: php-pear => php-pear-1.10.9-1.1.mga7.src.rpm
Summary: php-pear new security issue in Archive_tar (CVE-2020-36193) => php-pear new security issue in Archive_Tar (CVE-2020-36193)
Fedora has issued an advisory for this on January 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/
... still waiting for validation....
Mageia 7, x64 No PoC that I can see. Updated the package. Don't know much about php so just a few entry-level commands. $ pear version PEAR Version: @pear_version@ PHP Version: 7.3.26 Zend Engine Version: 3.3.26 Running on: Linux canopus 5.10.12-desktop-1.mga7 #1 SMP Sat Jan 30 14:29:33 UTC 2021 x86_64 $ pear config-get php_dir /usr/share/pear $ php --ini Configuration File (php.ini) Path: /etc Loaded Configuration File: /etc/php.ini Scan for additional .ini files in: /etc/php.d Additional .ini files parsed: /etc/php.d/05_assertion.ini, /etc/php.d/05_date.ini, /etc/php.d/05_mail.ini, /etc/php.d/05_pcre.ini, [...] /etc/php.d/81_filter.ini, /etc/php.d/82_json.ini $ php -S localhost:8000 -t php PHP 7.3.26 Development Server started at Sat Jan 30 21:24:11 2021 Listening on http://localhost:8000 Document root is /home/lcl/dev/php $ cat check_pear.php <?php require_once 'System.php'; var_dump(class_exists('System', false)); ?> $ php check_pear.php bool(true) $ pear config-set preferred_state beta config-set succeeded https://pear.php.net/manual/en/guide.users.commandline.installing.php $ pear install --onlyreqdeps html_page2 No releases available for package "pear.php.net/html_page2" install failed $ pear install Graph No releases available for package "pear.php.net/Graph" install failed Have to leave it there - don't know any php package names. Looks like php-pear is set up properly and it sort of works. Giving this an OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Found a package repository but was unable to make any headway. $ pear install sebastian/comparator Attempting to discover channel "sebastian"... downloading channel.xml ... Starting to download channel.xml (Unknown size) ....done: 914 bytes unknown channel "sebastian" in "sebastian/comparator" invalid package name/package file "sebastian/comparator" install failed $ pear install comparator No releases available for package "pear.php.net/comparator" install failed
validating based on comment 4
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0060.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED