/
advisory-20051104.txt
77 lines (55 loc) · 2.43 KB
/
advisory-20051104.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SECURITY VULNERABILITY ANNOUNCEMENT
November 4, 2005
Advisory: PEAR installer arbitrary code execution vulnerability
Release Date: 2005/11/04
Last Modified: 2005/11/04
Author: Gregory Beaver [cellog@php.net]
Application: PEAR installer <= 1.4.2
Severity: A standard feature of the PEAR installer implemented in
all versions of PEAR can lead to the execution of
arbitrary PHP code upon running the "pear" command
or loading the Web/Gtk frontend.
Risk: Low
Vendor Status: The PEAR project has released an updated version
References: http://pear.php.net/advisory-20051104.txt
Overview:
The PEAR installer is available from http://pear.php.net/package/PEAR.
The PEAR installer is used to install PHP-based software packages
distributed from pear.php.net and PHP extensions from pecl.php.net. As
of version 1.4.0, the PEAR installer can also install software packages
from other sources, known as "channels."
A poorly-implemented feature allows a package installed by the PEAR
installer to execute arbitrary code any time the "pear" command is
executed or the Web/Gtk frontend is loaded.
Details:
To be vulnerable, a user must explicitly install a publicly released
malicious package using the PEAR installer, or explicitly install a
package that depends on a malicious package.
Full details of the vulnerability will be released at a later date.
Proof of concept:
The PEAR development team will not release an example exploit to the
public.
Disclosure Timeline:
01. November 2005 - vulnerability discovered by Gregory Beaver
02. November 2005 - possible solutions discussed privately
03. November 2005 - The PEAR Project releases new bugfixed version
04. November 2005 - Public disclosure
Recommendation:
We strongly recommend to upgrade to the new version
PEAR 1.4.3
pear upgrade PEAR-1.4.3
http://pear.php.net/get/PEAR-1.4.3.tgz
GPG-Key:
http://pgp.mit.edu:11371/pks/lookup?search=0x1F81E560&op=get
pub 1024D/1F81E560 2004/12/30 Greg Beaver <greg@chiaraquartet.net>
Key fingerprint = B064 E549 8D51 712E 40E8 F9A1 B769 2595 1F81 E560
Copyright 2005, The PHP Group.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDauf5t2kllR+B5WARAuGDAJ41MYVXi4Mx6zrGgAuBXJ9OMDPqHgCgwzdc
GmGEMeOarN+uGLmir+OHivY=
=hLfa
-----END PGP SIGNATURE-----