A vulnerability in the PEAR installer has been found which allows arbitrary code execution. All versions of the installer up to and including release 1.4.2 are affected by this.
A poorly-implemented feature allows a package installed by the PEAR
installer to execute arbitrary code any time the “pear” command is
executed or the Web/Gtk frontend is loaded.
An new release of the installer is available which fixes this issue. One is strongly encouraged to upgrade to it by using pear upgrade PEAR. The PEAR Team strongly recommend to upgrade to the new version PEAR 1.4.3
pear upgrade PEAR-1.4.3
