Security Vulnerability in all PEAR versions prior to 1.4.3 discovered

Lot 49: Greg Beaver's blog

Links to know about


Music
The Chiara String Quartet
Chiara Quartet (MySpace)
Greenwood Music Camp
UNL School of Music

PHP
PEAR Installer Manifesto
phpDocumentor
PEAR
phar
docblock
PHP_Parser
PHP_Parser_DocblockParser
PHP_ParserGenerator
PHP_LexerGenerator
PEAR_PackageFileManager
PHP_Archive
Games_Chess

Blogs
Joshua Eichorn
Paul M. Jones
Davey Shafik


ohloh profile for Greg Beaver

Popular Entries

Setting up your own PEAR channel with Chiara_PEAR_Server - the official way
(28)
Do you develop a website? It is infinitely better to synchronize live and development sites using the PEAR Installer
(25)
doing the PEAR thing
(19)
Using PEAR 1.4.0 to install PEAR packages on a remote host
(19)
PEAR now fits in a bottle: meet go-pear.phar
(17)

Categories



All categories

Syndicate This Blog

Powered by

Friday, November 4. 2005

Security Vulnerability in all PEAR versions prior to 1.4.3 discovered

As noted in the official announcement at http://pear.php.net/advisory-20051104.txt, a security vulnerability has been discovered in all existing PEAR versions (that's right: PEAR 1.0 through PEAR 1.4.2) prior to today's release of PEAR 1.4.3. The vulnerability was discovered entirely by accident (it literally occurred to me while thinking about PEAR as I was getting ready for work on Monday morning). Although the risk of an exploit through this vulnerability is low, the vulnerability itself is quite severe, as it allows a malicious developer to execute arbitrary PHP code on your machine if you install an evil package.

If you are running an older version of PEAR, you need to upgrade as soon as possible. Full details of the vulnerability will be published in a few weeks.

Incidentally, an oversight removed PHP 4.2.x compatibility, which is fixed in PEAR 1.4.4

Posted by Greg Beaver in PEAR at 16:12 | Comments (0) | Trackbacks (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
You can use [geshi lang=lang_name [,ln={y|n}]][/lang] tags to embed source code snippets
 
Submitted comments will be subject to moderation before being displayed.
 

Links in this article

PEAR Installer Manifesto

Calendar

Back November '08 Forward
Mon Tue Wed Thu Fri Sat Sun
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Quicksearch

My Latest Releases


PEAR_Frontend_Web 0.7.3

Aug 3, 2008
pearweb_gopear 1.1.2

Aug 3, 2008
pearweb_phars 1.4.2

May 19, 2008
PHP_Archive 0.11.4

May 19, 2008
PEAR 1.7.2

May 17, 2008
PhpDocumentor 1.4.2

Mar 30, 2008
pearweb_channelxml 1.13.0

Mar 8, 2008
pearweb_phars 1.4.1

Feb 14, 2008
PEAR 1.7.1

Feb 3, 2008
pearweb_gopear 1.1.1

Feb 1, 2008

Top Exits

pear.php.net (304)
www.php.net (86)
pear.chiaraquartet.net (79)
pecl.php.net (58)
news.php.net (43)

Blog Administration

Open login screen