PHP 5.5.13 acinclude.m4 overwrite arbitrary files

2014.06.09

Credit: remi

Risk: Medium

Local: Yes

Remote: No

CVE: CVE-2014-3981

CWE: N/A

CVSS Base Score: 3.3/10

Impact Subscore: 4.9/10

Exploitability Subscore: 3.4/10

Exploit range: Local

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: Partial

acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.
index 448659f..25f3655 100644 (file)
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -1711,7 +1711,7 @@ int main(int argc, char *argv[])
{
FILE *fp;
long position;
- char *filename = "/tmp/phpglibccheck";
+ char *filename = tmpnam(NULL);
fp = fopen(filename, "w");
if (fp == NULL) {

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1104978

https://bugs.php.net/bug.php?id=67390

http://seclists.org/fulldisclosure/2014/Jun/21

http://openwall.com/lists/oss-security/2014/06/06/12

http://git.php.net/?p=php-src.git;a=commit;h=91bcadd85e20e50d3f8c2e9721327681640e6f16

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}