CVE-2014-5459

Publication date 27 September 2014

Last updated 18 December 2024


Ubuntu priority

Negligible

Why this priority?

The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions.

Read the notes from the security team

Status

Package Ubuntu Release Status
php-pear 24.10 oracular
Vulnerable, fix deferred
24.04 LTS noble
Vulnerable, fix deferred
23.10 mantic Ignored end of life, was deferred [2022-03-08]
23.04 lunar Ignored end of life, was deferred [2022-03-08]
22.10 kinetic Ignored end of life, was deferred [2022-03-08]
22.04 LTS jammy
Vulnerable, fix deferred
21.10 impish Ignored end of life
21.04 hirsute Ignored end of life
20.10 groovy Ignored end of life
20.04 LTS focal
Vulnerable, fix deferred
19.10 eoan Ignored end of life
19.04 disco Ignored end of life
18.10 cosmic Ignored end of life
18.04 LTS bionic
Vulnerable, fix deferred
17.10 artful Ignored end of life
17.04 zesty Ignored end of life
16.10 yakkety Ignored end of life
16.04 LTS xenial
Vulnerable, fix deferred
15.10 wily Not in release
14.04 LTS trusty Not in release
12.04 LTS precise Not in release
php5 24.10 oracular Not in release
24.04 LTS noble Not in release
23.10 mantic Not in release
23.04 lunar Not in release
22.10 kinetic Not in release
22.04 LTS jammy Not in release
21.10 impish Not in release
21.04 hirsute Not in release
20.10 groovy Not in release
20.04 LTS focal Not in release
19.10 eoan Not in release
19.04 disco Not in release
18.10 cosmic Not in release
18.04 LTS bionic Not in release
17.10 artful Not in release
17.04 zesty Not in release
16.10 yakkety Not in release
16.04 LTS xenial Not in release
15.10 wily Ignored end of life
15.04 vivid Ignored end of life
14.10 utopic Ignored end of life
14.04 LTS trusty Ignored end of ESM support, was deferred [2022-03-08]
12.04 LTS precise Ignored end of life
10.04 LTS lucid Ignored end of life

Notes


jdstrand

Upstream states this is a known issue


sbeattie

upstream claims fixed in 1.9.2, but still uses /tmp/pear/ according to debian bug report


mdeslaur

1.9.2+ only a DoS


rodrigo-zaiden

No complete fix was provided as of 2022-03-08.