PEAR Security Advisory (PSA 200911-14-01)
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
Multiple remote arbitrary command injections have been found in the Net_Ping
Net_Ping is an OS independent wrapper class for executing ping calls from PHP
Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP
Package / Vulnerable / Unaffected
1 Net_Ping < 2.4.5 >= 2.4.5
2 Net_Traceroute < 0.21.2 >= 0.21.2
2 affected packages on all of their supported architectures.
Remote Arbitrary Command Injection
When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.
Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.
The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:
The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:
Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.
Be aware that the initial release of Ubuntu Karmic contains a bug that affects PHP and PEAR, whose fix came a tad too late to make the initial release. The bug is fixed, and will be included in upcoming updates from Ubuntu.
From PEAR’s perspective, the key issue relates to the zlib library. This is evident in any attempt to install or upgrade a package, since doing so involves downloading a tarball file that must be uncompressed. The bug causes some zlib functions to be unavailable to PHP, and the Archive_Tar code will silently fail due to this.
If you attempt to install or upgrade a package, it may appear to finish without error, but without a final “install ok” or “upgrade ok” message. This means the process failed. The workaround is to include the -Z argument, so that a .tar file will be downloaded rather than a .tgz file:
pear install -Z phpdocumentor
The core router issues at the hosting provider have been resolved. Sorry for the inconvenience. pear.php.net and the PEAR channel are now back in business.
The PEAR website is currently unavailable due to network issues where the server is located. The hosting provider is working to restore service.
In the meantime, the best alternative for PEAR installer usage is to point your “preferred_mirror” to one of the mirror PEAR channel servers. Use one of the commands below to choose a mirror near you:
- U.S: pear config-set preferred_mirror us.pear.php.net
- Germany: pear config-set preferred_mirror de.pear.php.net
If you are using a PEAR installer older than version 1.9.0, and the preferred_mirror settings do not work successfully for you, a manual alternative for retrieving packages is to use the “download” command and point directly to the tarball file:
- pear download http://us.pear.php.net/get/PEAR-1.9.0.tgz
- pear download http://de.pear.php.net/get/PEAR-1.9.0.tar
If using this option, you must specify the package name in the correct case, while including the version number and the file type:
Some PEAR installations on PHP 5.2.9 and 5.2.10 seem to be corrupted. When trying to install something, you will get the error:
pear.php.net is using a unsupported protocal – This should never happen. install failed
This problem comes from corrupted channel files. Go into your PEAR php directory and backup .channels directory:
cd `pear config-get php_dir`
mv .channels .channels-broken
This means you lost all your channels except for the default ones (pear, pecl, doc and __uri) – but at least you do not have to re-install PEAR.
Sorry for the inconvenience.
I am more than glad to announce the arrival, the announcement of the new PEAR Group for 2009 and 2010.
With a few fresh faces in the Group, this year looks very promising with the mix of both new blood and experienced PEAR Group members.
Congratulations to the elected 7s (In no particular order):
- Christian Weiske
- Chuck Burgress
- Daniel O’Connor
- Ken Guest
- Bill Shupp
- Michael Gauthier
- Brett Bieber
I can’t wait to have our first meeting and get the year kicking!
Thanks to everyone who voted!
As every year, the elections for the PEAR Group and PEAR President are happening. This year due to a few factors and messages lost in translation, we decided to extend the elections period by 10 days so more people would have time to vote!
So remember to cast your vote at http://pear.php.net/election/ and you have until the the 5th of August 2009.
There are many new candidates for the Group and I think you should go and check them out!
Now that pear2 is in svn.php.net, it is possible to do commits with
multiple packages using a feature of subversion called “sparse checkouts.”
Rasmus wrote about this for setting up php checkouts here:
Here is the version I used to set up pear and pear2 in a way that will
allow committing to both pear and pear2 packages in a single commit.
For packages like Console_CommandLine that live in both repositories,
this is very useful for tracking merges. (Note: on windows, get
TortoiseSVN 1.6.3, and right-click “checkout” for checkout, and use the
“update to revision” option for the sparse updates)
svn co http://svn.php.net/repository –set-depth empty phpsvn
svn up –set-depth immediates pear pear2
svn up –set-depth immediates pear2/* pear/*
svn up –set-depth infinity pear2/*/trunk pear/*/trunk
svn up –set-depth immediates pear2/sandbox
svn up –set-depth infinity pear2/sandbox/*/trunk
svn up –set-depth immediates pear/peardoc
svn up –set-depth infinity pear/peardoc/trunk
At this point, your work is done. You can perform the same steps for
pearweb if you’re a maintainer, and be on your way.
With the above setup, when you make a change to a package, you can
update the documentation immediately and commit it together, by changing
to phpsvn and running “svn commit” (Windows: right-click on the phpsvn
folder and choose “svn commit”)
Hopefully this will get people started with being able to develop more
efficiently and to work effectively with PEAR2.
If you want to start a Pear2 package, all you need to do is send an
email to the firstname.lastname@example.org, and the PEAR Group will get you set up. I’m happy to answer
Some users have reported that the windows builds of PHP 5.3 are not able to open the shipped go-pear.phar file.
As a workaround, users can run the distributed phar with
php -d phar.require_hash=0 go-pear.phar or download and use the http://pear.php.net/go-pear non-pharred version.
Thanks to the efforts of Daniel O’Connor, the PEAR website is getting nicer and better. Bug RSS feeds support Baetle now, the PEAR proposal system – PEPr – works again and many small improvements and fixes found their way on the site.