PEAR 1.3.X Graves security holes

speckados

Well-Known Member
PEAR 1.4.6 was just released at pear.php.net (http://pear.php.net/PEAR). This is a minor bugfix release and complete details are available at pear.php.net, but I must stress two points with extreme seriousness:

1. PEAR 1.4.6 fixes make install-pear INSTALL_ROOT=/rpm/packaging and introduces the --packagingroot option to install, which works like --installroot worked in PEAR 1.3.x
2. PEAR 1.3.x has several serious bugs and at least 2 serious security vulnerabilities. Using PEAR 1.3.x on a production machine is EXTREMELY dangerous

The second point applies to all people who think that the latest vulnerability in PEAR can be fixed in 1.3.5 with a simple patch. There are several unpublished serious bugs. A few days back, I was contacted by a diligent developer of a linux distribution who was wondering how serious the vulnerability in PEAR 1.4.2 and earlier is, and whether it would be possible to get a patch for PEAR 1.3.5. After reflection on the serious bugs in PEAR 1.3.x that were fixed in PEAR 1.4.x with unit testing, I came to realize that there is yet another serious security vulnerability in PEAR 1.3.x. I will publish the details shortly.pear.php

Don't hesitate, upgrade to PEAR 1.4.6 at your earliest convenience.​

From http://greg.chiaraquartet.net/archives/107-Why-it-is-very-important-to-upgrade-to-PEAR-1.4.6-from-PEAR-1.3.x.html

Also, several errors from /scripts/easyapache & php 4.4.2

Error and PEAR broken.

Try to manual pear update fails.

Code:
pear list-upgrades
pear.php.net Available Upgrades (stable):
=========================================
Channel      Package              Local          Remote          Size
pear.php.net Mail                 1.1.3 (stable) 1.1.10 (stable) 16.5kB
pear.php.net Net_SMTP             1.2.6 (stable) 1.2.8 (stable)  11.1kB
pear.php.net Net_Socket           1.0.1 (stable) 1.0.6 (stable)  4.5kB
pear.php.net Net_UserAgent_Detect 2.0.1 (stable) 2.2.0 (stable)  9.8kB
pear.php.net XML_Parser           1.0.1 (stable) 1.2.7 (stable)  12.7kB

/scripts/easyapache
......
pear/PEAR dependency package "pear/Archive_Tar" installed version 1.1 is not the recommended version 1.3.1, but may be compatible, use --force to install

Notice: Only variables should be assigned by reference in /home/cpapachebuild/buildapache/php-4.4.2/pear/PEAR/Installer.php on line 982
[PEAR] PEAR: Installation failed: invalid package file
Ufff. very broken panel and securty issues. All user that uses pear, broken his service.

A bad day.
 

speckados

Well-Known Member
For update PEAR manually before Cpanel TEAM update backend scripts:

Code:
root#pear list-upgrades

// Example of screen
Available Upgrades (stable):
============================
Package              Local          Remote          Size
Archive_Tar          1.1 (stable)   1.3.1 (stable)  14.8kB
HTML_Template_IT     1.1 (stable)   1.1.4 (stable)  19.7kB
Net_UserAgent_Detect 2.0.1 (stable) 2.2.0 (stable)  9.8kB
PEAR                 1.3.5 (stable) 1.4.10 (stable) 279kB
XML_RPC              1.4.8 (stable) 1.5.0 (stable)  31kB

root#pear upgrade -f PEAR 
root#pear upgrade -f Archive_Tar HTML_Template_IT Net_UserAgent_Detect  XML_RPC

Several root#pear list-upgrades for verify all correct.