Fedora Account System
Red Hat Associate
Red Hat Customer
PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite. Upstream bug: http://pear.php.net/bugs/bug.php?id=21171
Created php-pear tracking bugs for this issue: Affects: fedora-all [bug 1418773]
Mitigation: This vulnerability only allows files in the current directory to be overwritten, so using `pear download` in a temporary directory effectively mitigates the risk of a dangerous file overwrite occurring.
Statement: Since pear's purpose is to download libraries for inclusion in an application, any use of `pear install` or `pear download` implicitly trusts the server. This vulnerability does not significantly extend the trust already given to pear and to servers used with it.