Possible symlink attack

Question

Every single time I want to upgrade or install a PEAR package I get the following series of error messages:

C:>pear upgrade
Error getting channel info from pear.php.net: SECURITY ERROR: Will not write to C:\Users\ALVARO.GONZALEZ\AppData\Local\Temp\pear\cache\6d1f6e892384ae452db9a1bd59ee95f5rest.cacheid as it is symlinked to C:\Users\ALVARO.GONZALEZ\AppData\Local\Temp\pear\cache\6d1f6e892384ae452db9a1bd59ee95f5rest.cacheid - Possible symlink attack
[...]

What symlink is it talking about? When I copy and paste both paths and put them side by side I honestly can't spot the difference:

C:\Users\ALVARO.GONZALEZ\AppData\Local\Temp\pear\cache\6d1f6e892384ae452db9a1bd59ee95f5rest.cacheid
C:\Users\ALVARO.GONZALEZ\AppData\Local\Temp\pear\cache\6d1f6e892384ae452db9a1bd59ee95f5rest.cacheid

The error goes away when I empty the cache dir:

C:\>pear clear-cache
reading directory C:\Users\ALVARO.GONZALEZ\AppData\Local\Temp\pear\cache
74 cache entries cleared

... until the next time I need to install stuff.

My questions are:

1. Why are those errors being triggered?
2. Is there any way to prevent them from showing up in the first place?

Edit: There's an open ticket about this filed on late 2011. The issue was caused by a security fix for Symlink attack in PEAR install. I'll report back with whatever comes out.

Answer 1

The issue was a PEAR bug:

• Bug #18056 regression on windows

The bug was fixed on PEAR 1.9.5, released on 12th July 2014.