Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2014-5459

Publication date 27 September 2014

Last updated 15 October 2024

Ubuntu priority

Negligible

Why this priority?

The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions.

Read the notes from the security team

Status

Package Ubuntu Release Status
php-pear 24.10 oracular
Vulnerable, fix deferred
24.04 LTS noble
Vulnerable, fix deferred
23.10 mantic Ignored end of life, was deferred [2022-03-08]
23.04 lunar Ignored end of life, was deferred [2022-03-08]
22.10 kinetic Ignored end of life, was deferred [2022-03-08]
22.04 LTS jammy
Vulnerable, fix deferred
21.10 impish Ignored end of life
21.04 hirsute Ignored end of life
20.10 groovy Ignored end of life
20.04 LTS focal
Vulnerable, fix deferred
19.10 eoan Ignored end of life
19.04 disco Ignored end of life
18.10 cosmic Ignored end of life
18.04 LTS bionic
Vulnerable, fix deferred
17.10 artful Ignored end of life
17.04 zesty Ignored end of life
16.10 yakkety Ignored end of life
16.04 LTS xenial
Vulnerable, fix deferred
15.10 wily Not in release
14.04 LTS trusty Not in release
12.04 LTS precise Not in release
php5 24.10 oracular Not in release
24.04 LTS noble Not in release
23.10 mantic Not in release
23.04 lunar Not in release
22.10 kinetic Not in release
22.04 LTS jammy Not in release
21.10 impish Not in release
21.04 hirsute Not in release
20.10 groovy Not in release
20.04 LTS focal Not in release
19.10 eoan Not in release
19.04 disco Not in release
18.10 cosmic Not in release
18.04 LTS bionic Not in release
17.10 artful Not in release
17.04 zesty Not in release
16.10 yakkety Not in release
16.04 LTS xenial Not in release
15.10 wily Ignored end of life
15.04 vivid Ignored end of life
14.10 utopic Ignored end of life
14.04 LTS trusty
Vulnerable, fix deferred
12.04 LTS precise Ignored end of life
10.04 LTS lucid Ignored end of life

Notes

jdstrand

Upstream states this is a known issue

sbeattie

upstream claims fixed in 1.9.2, but still uses /tmp/pear/ according to debian bug report

mdeslaur

1.9.2+ only a DoS

rodrigo-zaiden

No complete fix was provided as of 2022-03-08.