Details about PEAR Compromise and Suggested Steps

January 25, 2019 2.1k views
PHP

On January 19th, 2019, the team behind PEAR (PHP Extension and Application Repository) announced that their web server hosting pear.php.net had been compromised. It was also determined that the copy of PEAR available for download on their site included a compromised version of the go-pear.phar file which is used to install PEAR.

The PEAR team has indicated that anyone who has downloaded this file from their site since December 20th, 2018 should be concerned. However, because the last known good copy of this file is from August 2018, it is suggested to check if you have been impacted by this compromise if you have installed PEAR since then.

Cases where a compromise is very likely:

  • If you have installed PEAR manually by downloading it from their website pear.php.net since December 20, 2018.

Cases where a compromise is less likely but possible:

  • If you have installed PEAR manually by downloading it from their website pear.php.net between August 2018 and December 20, 2018.

Cases where a compromise is not likely:

  • If PEAR was installed using a package manager on your system.
  • If PEAR was included with the version of PHP installed on your system
  • If PEAR was installed manually by downloading it from their website pear.php.net before August 2018.

How to confirm if your system is subject to this compromise:

if you have downloaded this go-pear.phar file since August 2018, it’s recommended that you check if it is a version that has been compromised. This can be done by doing the following:

  • Change to the directory that this go-pear.phar file was downloaded to.
  • Run: md5sum go-pear.phar

If the reported checksum of this file is 1e26d9dd3110af79a9595f1a77a82de7, this means the version that was downloaded has been compromised.

If you have downloaded a compromised version of this file, we would encourage you to immediately backup all of your data including your database(s), and website files. Once a backup of this data is available, we would recommend deploying a new Droplet, upload your data, and then import your databases into this new Droplet.

To aid in this migration process, please refer to our Community articles that outline how to compress your data, migrate it using Rsync and how to import and export databases.

Once you have confirmed that things are working properly on this new Droplet, destroy the original Droplet that contains this compromised go-pear.phar file.

Until PEAR has communicated that this has been addressed and resolved, we advise against installing it. To follow the status of their investigation and for additional details, you can refer to their Twitter account. They have also stated that they will post details to their blog once their site has been restored.

1 Answer

Yeah it was a shocking moment for all of us, but I believe PEAR team, hope they will not let it happen again in future.

  • To be frank I can’t recall the last time I used anything PHP related outside of my default OS repository. I suspect I’m far from alone, so hopefully the impact here was minimal.

Have another answer? Share your knowledge.