VulnerableCode Package Details - pkg:deb/debian/php-pear@1:1.10.6%2Bsubmodules%2Bnotgz-1.1?distro=trixie

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:deb/debian/php-pear@1:1.10.6%2Bsubmodules%2Bnotgz-1.1?distro=trixie

purl	pkg:deb/debian/php-pear@1:1.10.6%2Bsubmodules%2Bnotgz-1.1?distro=trixie

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-rdg5-wdyd-xbdm	Deserialization of Untrusted Data There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified.	CVE-2018-1000888 GHSA-3q76-jq6m-573p

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:20:46.391535+00:00	Debian Importer	Fixing	VCID-rdg5-wdyd-xbdm	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T09:11:56.684758+00:00	Debian Importer	Fixing	VCID-rdg5-wdyd-xbdm	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:49:40.090234+00:00	Debian Importer	Fixing	VCID-rdg5-wdyd-xbdm	https://security-tracker.debian.org/tracker/data/json	38.1.0