Net_Traceroute and Net_Ping security advisory

PEAR Security Advisory (PSA 200911-14-01)

Severity: Serious
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
ID: 200911-14-01


Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.


Net_Ping is an OS independent wrapper class for executing ping calls from PHP

Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP

Affected packages

Package                   /  Vulnerable  /             Unaffected
1  Net_Ping                   < 2.4.5                   >= 2.4.5
2  Net_Traceroute       < 0.21.2                  >= 0.21.2

2 affected packages on all of their supported architectures.


Remote Arbitrary Command Injection


When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.


Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.


The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:

The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:

Reported By

Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.


Posted in Announcements, Blogroll, Group Blog, President Blog | 4 Comments

Ubuntu Karmic Ships with PEAR-Affecting Issues

Be aware that the initial release of Ubuntu Karmic contains a bug that affects PHP and PEAR, whose fix came a tad too late to make the initial release.  The bug is fixed, and will be included in upcoming updates from Ubuntu.

From PEAR’s perspective, the key issue relates to the zlib library.  This is evident in any attempt to install or upgrade a package, since doing so involves downloading a tarball file that must be uncompressed.  The bug causes some zlib functions to be unavailable to PHP, and the Archive_Tar code will silently fail due to this.

If you attempt to install or upgrade a package, it may appear to finish without error, but without a final “install ok” or “upgrade ok” message.  This means the process failed.  The workaround is to include the -Z argument, so that a .tar file will be downloaded rather than a .tgz file:

pear install -Z phpdocumentor

Posted in Announcements | Tagged , , | 11 Comments

Outage over

The core router issues at the hosting provider have been resolved.  Sorry for the inconvenience. and the PEAR channel are now back in business.

Posted in Uncategorized | Comments Off on Outage over

PEAR Website Outage

The PEAR website is currently unavailable due to network issues where the server is located. The hosting provider is working to restore service.

In the meantime, the best alternative for PEAR installer usage is to point your “preferred_mirror” to one of the mirror PEAR channel servers. Use one of the commands below to choose a mirror near you:

  • U.S: pear config-set preferred_mirror
  • Germany: pear config-set preferred_mirror

If you are using a PEAR installer older than version 1.9.0, and the preferred_mirror settings do not work successfully for you, a manual alternative for retrieving packages is to use the “download” command and point directly to the tarball file:

  • pear download
  • pear download

If using this option, you must specify the package name in the correct case, while including the version number and the file type:

  • PEAR-1.9.0.tgz
  • Archive_Tar-1.2.3.tar
Posted in Announcements | Tagged , | 2 Comments

Fixing “unsupported protocol”

Some PEAR installations on PHP 5.2.9 and 5.2.10 seem to be corrupted. When trying to install something, you will get the error: is using a unsupported protocal – This should never happen. install failed

This problem comes from corrupted channel files. Go into your PEAR php directory and backup .channels directory:

cd `pear config-get php_dir`
mv .channels .channels-broken
pear update-channels

This means you lost all your channels except for the default ones (pear, pecl, doc and __uri) – but at least you do not have to re-install PEAR.

Sorry for the inconvenience.

Posted in Uncategorized | 16 Comments

The new Group has been elected!

I am more than glad to announce the arrival, the announcement of the new PEAR Group for 2009 and 2010.

With a few fresh faces in the Group, this year looks very promising with the mix of both new blood and experienced PEAR Group members.

Congratulations to the elected 7s (In no particular order):

  • Christian Weiske
  • Chuck Burgress
  • Daniel O’Connor
  • Ken Guest
  • Bill Shupp
  • Michael Gauthier
  • Brett Bieber

I can’t wait to have our first meeting and get the year kicking!

Thanks to everyone who voted!

Posted in Announcements, Blogroll, President Blog | Tagged , , , , | 5 Comments

The elections are still going!

As every year, the elections for the PEAR Group and PEAR President are happening. This year due to a few factors and messages lost in translation, we decided to extend the elections period by 10 days so more people would have time to vote!

So remember to cast your vote at and you have until the the 5th of August 2009.

There are many new candidates for the Group and I think you should go and check them out!

Posted in Announcements, Blogroll, Group Blog, President Blog | 2 Comments

Setting Up PEAR2 and PEAR Checkouts With SVN 1.5+

Now that pear2 is in, it is possible to do commits with
multiple packages using a feature of subversion called “sparse checkouts.”

Rasmus wrote about this for setting up php checkouts here:

Here is the version I used to set up pear and pear2 in a way that will
allow committing to both pear and pear2 packages in a single commit.
For packages like Console_CommandLine that live in both repositories,
this is very useful for tracking merges.  (Note: on windows, get
TortoiseSVN 1.6.3, and right-click “checkout” for checkout, and use the
“update to revision” option for the sparse updates)

svn co –set-depth empty phpsvn
cd phpsvn
svn up –set-depth immediates pear pear2
svn up –set-depth immediates pear2/* pear/*
svn up –set-depth infinity pear2/*/trunk pear/*/trunk
svn up –set-depth immediates pear2/sandbox
svn up –set-depth infinity pear2/sandbox/*/trunk
svn up –set-depth immediates pear/peardoc
svn up –set-depth infinity pear/peardoc/trunk

At this point, your work is done.  You can perform the same steps for
pearweb if you’re a maintainer, and be on your way.

With the above setup, when you make a change to a package, you can
update the documentation immediately and commit it together, by changing
to phpsvn and running “svn commit” (Windows: right-click on the phpsvn
folder and choose “svn commit”)

Hopefully this will get people started with being able to develop more
efficiently and to work effectively with PEAR2.

If you want to start a Pear2 package, all you need to do is send an
email to the, and the PEAR Group will get you set up.  I’m happy to answer
any questions.

Greg Beaver

Posted in Uncategorized | Tagged , , | 5 Comments

PHP 5.3 Windows and PEAR (go-pear.phar)

Some users have reported that the windows builds of PHP 5.3 are not able to open the shipped go-pear.phar file.

As a workaround, users can run the distributed phar with php -d phar.require_hash=0 go-pear.phar or download and use the non-pharred version.

Posted in Announcements | 43 Comments moving on

Thanks to the efforts of Daniel O’Connor, the PEAR website is getting nicer and better. Bug RSS feeds support Baetle now, the PEAR proposal system – PEPr – works again and many small improvements and fixes found their way on the site.

Posted in Uncategorized | 3 Comments