PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite. Upstream bug: http://pear.php.net/bugs/bug.php?id=21171
Created php-pear tracking bugs for this issue: Affects: fedora-all [bug 1418773]
Mitigation: This vulnerability only allows files in the current directory to be overwritten, so using `pear download` in a temporary directory effectively mitigates the risk of a dangerous file overwrite occurring.
Statement: Since pear's purpose is to download libraries for inclusion in an application, any use of `pear install` or `pear download` implicitly trusts the server. This vulnerability does not significantly extend the trust already given to pear and to servers used with it.