oss-sec mailing list archives

Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack

From: Josh Bressers <bressers () redhat com>
Date: Mon, 28 Feb 2011 16:01:58 -0500 (EST)

Please use CVE-2011-1072

Thanks.

-- 
    JB


----- Original Message -----

The lack of symlink checks in the PEAR installer 1.9.1 <= while doing
installation and upgrades, which initiate various system write
operations, can cause privileged users unknowingly to overwrite
critical system files.

Further information can be found in this temporary advisory
http://pear.php.net/advisory-20110228.txt and the

Fixes can be found at http://news.php.net/php.pear.cvs/61264

- Helgi

Current thread:

CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Feb 28)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Feb 28)
  - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 01)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Vincent Danen (Mar 03)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Mar 01)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 01)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 08)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Vincent Danen (Mar 11)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Josh Bressers (Feb 28)