Package: php-pear Severity: important Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
CVE-2006-0931: "Directory traversal vulnerability in PEAR::Archive_Tar 1.2 allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a TAR archive." This is PEAR bug 6933 [1] and appears unfixed upstream; the bug is open and there has not been a new release in 2006. I presume that Debian's version is affected, but have not tested. Unfortunately, the advisory [2] does not include steps to reproduce, but rather has a vague link to a utility to create sample malicious archives. sarge and woody's php4-pear also contain PEAR::Archive_Tar. Please include the CVE in your changelog. Thanks, Alec [1] http://pear.php.net/bugs/bug.php?id=6933 [2] http://www.hamid.ir/security/phptar.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEcjxyAud/2YgchcQRAoL8AJ9l4zPHnlbuKk7pO2of3166koYnEACgltp0 pXpzZX1K7xsn2njzqsasPRo= =ZYKt -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
