Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack

[Vincent Danen <vdanen () redhat com>]

* [2011-03-01 10:24:48 +0000] Helgi ?ormar ?orbj?rnsson wrote:

> Hi,
> On 1 Mar 2011, at 09:11, Pierre Joye wrote:
>
> > hi,
> >
> > 2011/2/28 Dan Rosenberg <dan.j.rosenberg () gmail com>:
> > > I'm not familiar with this code or any of the context surrounding this
> > > fix, but it appears to be an incomplete fix.  Checking for existence
> > > of a symlink and then opening the resource leaves open a window during
> > > which a legitimate file can be replaced with a symlink.
> >
> > Not sure it is fixable, or maybe using a lock on the symbolic link
> > while fetching its target (to be tested to be sure that such locks
> > cannot be overridden from shell).
>
> I assume you are referring to the parts for REST.php in the patch in question?
> At a second look, that part could do with improvements; I wrote up a function which takes TOCTOU into consideration.
> I'll have that patch done by the end of the day.
>
> For other situations I am using tempnam() (via the System class) as those files are only temporary and were being 
> extracted from compressed archives; The predictability of their end destination where the centre part of the reported 
> security problem.

I took a quick look at the svn repository and don't see any additional
fixes.  So this means that 1.9.2 has the original fix (CVE-2011-1072)
but not the complete fix (to which MITRE has assigned CVE-2011-1144,
for an incomplete fix of CVE-2011-1072) 

Any word on patches to fully fix the problem yet?  I guess that a 1.9.3
must be planned to come soon (which would contain the CVE-2011-1144
fixes)?

--
Vincent Danen / Red Hat Security Response Team