The PEAR Installer contains a flaw as the package.xml file creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the download_dir, cache_dir, tmp_dir, and pear-build-download directories to cause the program to unexpectedly overwrite an arbitrary file.
Local Access Required
Loss of Integrity
It has been reported that this issue has been fixed. Upgrade to version 1.9.2, or higher, to address this vulnerability.