PEAR 1.3.X Graves security holes


Well-Known Member
PEAR 1.4.6 was just released at ( This is a minor bugfix release and complete details are available at, but I must stress two points with extreme seriousness:

1. PEAR 1.4.6 fixes make install-pear INSTALL_ROOT=/rpm/packaging and introduces the --packagingroot option to install, which works like --installroot worked in PEAR 1.3.x
2. PEAR 1.3.x has several serious bugs and at least 2 serious security vulnerabilities. Using PEAR 1.3.x on a production machine is EXTREMELY dangerous

The second point applies to all people who think that the latest vulnerability in PEAR can be fixed in 1.3.5 with a simple patch. There are several unpublished serious bugs. A few days back, I was contacted by a diligent developer of a linux distribution who was wondering how serious the vulnerability in PEAR 1.4.2 and earlier is, and whether it would be possible to get a patch for PEAR 1.3.5. After reflection on the serious bugs in PEAR 1.3.x that were fixed in PEAR 1.4.x with unit testing, I came to realize that there is yet another serious security vulnerability in PEAR 1.3.x. I will publish the details shortly.pear.php

Don't hesitate, upgrade to PEAR 1.4.6 at your earliest convenience.​


Also, several errors from /scripts/easyapache & php 4.4.2

Error and PEAR broken.

Try to manual pear update fails.

pear list-upgrades Available Upgrades (stable):
Channel      Package              Local          Remote          Size Mail                 1.1.3 (stable) 1.1.10 (stable) 16.5kB Net_SMTP             1.2.6 (stable) 1.2.8 (stable)  11.1kB Net_Socket           1.0.1 (stable) 1.0.6 (stable)  4.5kB Net_UserAgent_Detect 2.0.1 (stable) 2.2.0 (stable)  9.8kB XML_Parser           1.0.1 (stable) 1.2.7 (stable)  12.7kB

pear/PEAR dependency package "pear/Archive_Tar" installed version 1.1 is not the recommended version 1.3.1, but may be compatible, use --force to install

Notice: Only variables should be assigned by reference in /home/cpapachebuild/buildapache/php-4.4.2/pear/PEAR/Installer.php on line 982
[PEAR] PEAR: Installation failed: invalid package file
Ufff. very broken panel and securty issues. All user that uses pear, broken his service.

A bad day.


Well-Known Member
For update PEAR manually before Cpanel TEAM update backend scripts:

root#pear list-upgrades

// Example of screen
Available Upgrades (stable):
Package              Local          Remote          Size
Archive_Tar          1.1 (stable)   1.3.1 (stable)  14.8kB
HTML_Template_IT     1.1 (stable)   1.1.4 (stable)  19.7kB
Net_UserAgent_Detect 2.0.1 (stable) 2.2.0 (stable)  9.8kB
PEAR                 1.3.5 (stable) 1.4.10 (stable) 279kB
XML_RPC              1.4.8 (stable) 1.5.0 (stable)  31kB

root#pear upgrade -f PEAR 
root#pear upgrade -f Archive_Tar HTML_Template_IT Net_UserAgent_Detect  XML_RPC

Several root#pear list-upgrades for verify all correct.