Ondrej

**Name of the Vulnerable Software and Affected Versions** PEAR versions prior to 1.9.2 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the download dir, cache dir, tmp dir, and pear-build-download directories. **Recommendations** For versions prior to 1.9.2, update to version 1.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the download dir, cache dir, tmp dir, and pear-build-download directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PEAR versions 1.9.2 and earlier **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on the `package.xml` file. This is related to the `download dir`, `cache dir`, `tmp dir`, and `pear-build-download` directories. The problem exists due to an incomplete fix for a previous issue. **Recommendations** For PEAR versions 1.9.2 and earlier, consider restricting access to the `package.xml` file and the related directories to minimize the risk of exploitation. As a temporary workaround, avoid using the installer until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.