<snip> Lack of validation of the install-as attribute in package.xml version 1.0 and of the <install> tag in package.xml version 2.0 allows attackers to install files in any location and possibly overwrite crucial system files if the PEAR Installer is running as a privileged user. </snip> A couple of notes on this: Gentoo PHP team doesn't support using pear install directly by users and ebuilds for PEAR packages that are in the tree are certainly not malicious. :) Also, the installed (malicious) code already could do the same if you run it as privileged user, as noted in CVE-2007-2519 description. Regardless, if you want to handle this, I'll prepare an ebuild for 1.6.1, it'd have to be done sooner or later anyway. It's going to take some time due to the way we are handling PEAR installer on Gentoo.
dev-php/PEAR-PEAR-1.6.1 committed, ready for stabilization if you wish. :)
thanks Jakub. Arches, please test and mark stable dev-php/PEAR-PEAR-1.6.1. Target keywords are: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
sparc stable.
Stable for HPPA.
x86 stable
ppc64 stable
ppc stable
amd64 stable
alpha/ia64 stable
I tend to vote NO.
I vote no.
voting no too and closing.
