Package "php-pear"

Name: php-pear


PEAR Base System

Latest version: 1:1.10.5+submodules+notgz-1ubuntu1.18.04.4
Release: bionic (18.04)
Level: security
Repository: main
Homepage: http://pear.php.net/package/PEAR


Download "php-pear"

Other versions of "php-pear" in Bionic

Repository Area Version
base main 1:1.10.5+submodules+notgz-1ubuntu1
updates main 1:1.10.5+submodules+notgz-1ubuntu1.18.04.4


Version: 1:1.10.5+submodules+notgz-1ubuntu1.18.04.4 2021-07-29 17:06:19 UTC

  php-pear (1:1.10.5+submodules+notgz-1ubuntu1.18.04.4) bionic-security; urgency=medium

  * SECURITY UPDATE: incorrect symlink extraction
    - debian/patches/CVE-2021-32610.patch: properly fix symbolic link path
      traversal in submodules/Archive_Tar/Archive/Tar.php.
    - CVE-2021-32610

 -- Marc Deslauriers <email address hidden> Wed, 28 Jul 2021 10:48:51 -0400

Source diff to previous version
CVE-2021-32610 In Archive_Tar before 1.4.14, symlinks can refer to targets outside of ...

Version: 1:1.10.5+submodules+notgz-1ubuntu1.18.04.3 2021-02-08 14:06:30 UTC

  php-pear (1:1.10.5+submodules+notgz-1ubuntu1.18.04.3) bionic-security; urgency=medium

  * SECURITY UPDATE: directory traversal attack in Archive_Tar
    - debian/patches/CVE-2020-36193-1.patch: disallow symlinks to
      out-of-path filenames in submodules/Archive_Tar/Archive/Tar.php.
    - debian/patches/CVE-2020-36193-2.patch: fix out-of-path check for
      virtual relative symlink in submodules/Archive_Tar/Archive/Tar.php.
    - debian/patches/CVE-2020-36193-3.patch: PHP compat fix in
    - CVE-2020-36193

 -- Marc Deslauriers <email address hidden> Thu, 04 Feb 2021 10:38:05 -0500

Source diff to previous version
CVE-2020-36193 Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue

Version: 1:1.10.5+submodules+notgz-1ubuntu1.18.04.2 2020-12-01 14:06:18 UTC

  php-pear (1:1.10.5+submodules+notgz-1ubuntu1.18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: unserialization attack in Archive_Tar
    - debian/patches/CVE-2020-2894x.patch: catch additional malicious or
      crafted filenames in submodules/Archive_Tar/Archive/Tar.php.
    - CVE-2020-28948
    - CVE-2020-28949

 -- Marc Deslauriers <email address hidden> Mon, 30 Nov 2020 10:02:42 -0500

Source diff to previous version
CVE-2020-2894 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.4
CVE-2020-28948 Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
CVE-2020-28949 Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to o

Version: 1:1.10.5+submodules+notgz-1ubuntu1.18.04.1 2019-01-14 19:07:13 UTC

  php-pear (1:1.10.5+submodules+notgz-1ubuntu1.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: unserialization vulnerability in Archive_Tar
    - debian/patches/CVE-2018-1000888.patch: don't allow filenames to start
      with phar:// in submodules/Archive_Tar/Archive/Tar.php.
    - CVE-2018-1000888

 -- Marc Deslauriers <email address hidden> Fri, 11 Jan 2019 13:23:21 -0500

CVE-2018-1000888 PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with

About   -   Send Feedback to @ubuntu_updates