Skip to content
This repository


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tree: 8110d0deae
Fetching contributors…

Cannot retrieve contributors at this time

file 60 lines (46 sloc) 2.43 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
February 28, 2011

     Advisory: PEAR installer symlink vulnerability
 Release Date: 2011/02/28
Last Modified: 2011/02/28
       Author: Helgi Thormar Thorbjoernsson []
  Application: PEAR installer <= 1.9.1
         Risk: Medium
Vendor Status: The PEAR project has released an updated version
           ID: PSA 20110228-01


  The PEAR installer is available from
The PEAR installer is used to install PHP-based software packages
distributed from and PHP extensions from As
of version 1.4.0, the PEAR installer can also install software packages
from other sources, known as "channels."

The lack of symlink checks while doing installation and upgrades, which
initiate various system write operations, can cause privileged users
unknowingly to overwrite critical system files.


  To be vulnerable, a non-privileged user that has access to the system must
explicitly create a symlink from a predictable location, to which PEAR will
write, with an end point at a system critical file such as /etc/passwd.

A non-privileged user is not required to have permission to the symlink
endpoint, the required privileges are obtained by asking a privileged
user to perform a routine task, such as installation or upgrade of packages,
which will in turn write to a predictable location; the whole process is
transparent for the privileged user and will in turn write to the symbolically
linked endpoint.

It is not possible to inject arbitrary information with this approach, it is
only possible to overwrite symlinked files with one of the files coming from
the PEAR package being installed/updated.

The following steps have been taken to fix the problem at hand:
 * tmpnam has been put in use to ensure fairly non-predictible paths
 * Proper symlink checks have been put in place and a warning is issued
   if a write operation happens on a symlink as well as the operation is

Further information about how symlink attacks work can be found at


  We strongly recommend to upgrade to the new version

  PEAR 1.9.2 or higher
  pear upgrade PEAR-1.9.2

Thanks to Raphael Geisert, Ondrej Sury and rest of the Debian team.
Something went wrong with that request. Please try again.