Mandriva Linux Security Advisory : php-pear (MDVSA-2011:187)

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing a security update.

Description :

A vulnerability has been discovered and corrected in php-pear :

The installer in PEAR before 1.9.2 allows local users to overwrite
arbitrary files via a symlink attack on the package.xml file, related
to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4)
pear-build-download directories, a different vulnerability than
CVE-2007-2519 (CVE-2011-1072).

This advisory provides PEAR 1.9.4 which is not vulnerable to this
issue.

Additionally for Mandriva Enterprise Server 5 many new or updated PEAR
packages is being provided with the latest versions of respective
packages as well as mitigating various dependency issues.

Solution :

Update the affected php-pear package.

Risk factor :

Low / CVSS Base Score : 3.3
(CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:P)
CVSS Temporal Score : 2.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Mandriva Local Security Checks

Nessus Plugin ID: 57319 ()

Bugtraq ID: 46605

CVE ID: CVE-2011-1072

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now