CVE-2014-5459

Publication date 27 September 2014

Last updated 15 September 2025

Ubuntu priority

Negligible

Why this priority?

Description

The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions.

Read the notes from the security team

Status

Package Ubuntu Release Status
php5 25.10 questing Not in release
25.04 plucky Not in release
24.10 oracular Not in release
24.04 LTS noble Not in release
23.10 mantic Not in release
23.04 lunar Not in release
22.10 kinetic Not in release
22.04 LTS jammy Not in release
21.10 impish Not in release
21.04 hirsute Not in release
20.10 groovy Not in release
20.04 LTS focal Not in release
19.10 eoan Not in release
19.04 disco Not in release
18.10 cosmic Not in release
18.04 LTS bionic Not in release
17.10 artful Not in release
17.04 zesty Not in release
16.10 yakkety Not in release
16.04 LTS xenial Not in release
15.10 wily Ignored end of life
15.04 vivid Ignored end of life
14.10 utopic Ignored end of life
14.04 LTS trusty
Vulnerable, fix deferred
12.04 LTS precise Ignored end of life
10.04 LTS lucid Ignored end of life
php-pear 25.10 questing
Vulnerable, fix deferred
25.04 plucky
Vulnerable, fix deferred
24.10 oracular Ignored end of life, was deferred [2022-03-08]
24.04 LTS noble
Vulnerable, fix deferred
23.10 mantic Ignored end of life, was deferred [2022-03-08]
23.04 lunar Ignored end of life, was deferred [2022-03-08]
22.10 kinetic Ignored end of life, was deferred [2022-03-08]
22.04 LTS jammy
Vulnerable, fix deferred
21.10 impish Ignored end of life
21.04 hirsute Ignored end of life
20.10 groovy Ignored end of life
20.04 LTS focal
Vulnerable, fix deferred
19.10 eoan Ignored end of life
19.04 disco Ignored end of life
18.10 cosmic Ignored end of life
18.04 LTS bionic
Vulnerable, fix deferred
17.10 artful Ignored end of life
17.04 zesty Ignored end of life
16.10 yakkety Ignored end of life
16.04 LTS xenial
Vulnerable, fix deferred
15.10 wily Not in release
14.04 LTS trusty Not in release
12.04 LTS precise Not in release

Notes

jdstrand

Upstream states this is a known issue

sbeattie

upstream claims fixed in 1.9.2, but still uses /tmp/pear/ according to debian bug report

mdeslaur

1.9.2+ only a DoS

rodrigo-zaiden

No complete fix was provided as of 2022-03-08.

References

Other references