Gregory Beaver

**Name of the Vulnerable Software and Affected Versions** PEAR versions 1.0 through 1.5.3 **Description** The issue allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in the `install-as` attribute in the `file` element in `package.xml` 1.0 or the `as` attribute in the `install` element in `package.xml` 2.0. **Recommendations** For PEAR versions 1.0 through 1.5.3, consider restricting the use of the `install-as` attribute in `package.xml` 1.0 and the `as` attribute in `package.xml` 2.0 to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PEAR installer versions 1.4.2 and earlier **Description** The issue allows user-assisted attackers to execute arbitrary code via a crafted package. This can occur when the pear command is executed or when the Web/Gtk frontend is loaded. **Recommendations** For PEAR installer versions 1.4.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.