Topic: backdored PEAR package

Hello!

recently i read about backdoor in PEAR php

https://twitter.com/pear/status/1086634503731404800

"If you have downloaded this go-pear.phar in the past six months, you should get a new copy of the same release version from "


i found,what some remi packages was builded at  Thu 23 Aug 2018 07:36:31 AM MSK

for example:
php70-php-pear-1.10.6-1.el7.remi
and php-pear-1.10.6-1.el7.remi


Can you help and explain from which sources and how this two packages was builded?

i fear that sources have been downloaded from infected PEAR site

thank you

Re: backdored PEAR package

I'm aware of this issue but my packages don't use the  phar but individual tarball of each component.

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: backdored PEAR package

As double checking still make sense for security

Aug 23: 1.10.6-1  (PEAR 1.10.6)
Nov 30: 1.10.6-2  (EL-8 build)
Dec 06: 1.10.7-1  (PEAR 1.10.7)
Dec 06: 1.10.7-2  (EL-8 fix)
Dec 21: 1.10.7-3  (Archive_TAR 1.4.4)

+ checking the sources (PEAR 1.10.7 and Archive_TAR 1.4.4) with github ones.

No difference found.

So all online packages are OK

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: backdored PEAR package

BTW in most case you don't even need this package (which is no more a dependency of pecl packages)

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: backdored PEAR package

Remi,thank you! wink