[php-maint] Bug#368545: php-pear: CVE-2006-0931: PEAR::Archive_Tar
directory traversal vulnerability
alec at thened.net
Mon May 22 22:34:26 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
CVE-2006-0931: "Directory traversal vulnerability in PEAR::Archive_Tar
1.2 allows remote attackers to create and overwrite arbitrary files via
certain crafted pathnames in a TAR archive."
This is PEAR bug 6933  and appears unfixed upstream; the bug is open
and there has not been a new release in 2006. I presume that Debian's
version is affected, but have not tested. Unfortunately, the advisory
 does not include steps to reproduce, but rather has a vague link to
a utility to create sample malicious archives.
sarge and woody's php4-pear also contain PEAR::Archive_Tar.
Please include the CVE in your changelog.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the pkg-php-maint