Merge pull request #600 from nextcloud/dependabot/composer/stable19/p…

…ear/archive_tar-1.4.12

.gitignore

@@ -33,6 +33,7 @@ doctrine/inflector/tests
 doctrine/lexer/composer.json
 doctrine/lexer/LICENSE
 
+pear/archive_tar/.github
 pear/archive_tar/.travis.sh
 pear/archive_tar/.travis.yml
 pear/archive_tar/tests/

composer.json

@@ -28,7 +28,7 @@
 		"nikic/php-parser": "^4.2",
 		"patchwork/jsqueeze": "^2.0",
 		"patchwork/utf8": "1.3.1",
-		"pear/archive_tar": "1.4.11",
+		"pear/archive_tar": "1.4.12",
 		"pear/pear-core-minimal": "^v1.10",
 		"phpseclib/phpseclib": "2.0.25",
 		"php-opencloud/openstack": "3.0.7",

composer/installed.json

@@ -2461,17 +2461,17 @@
     },
     {
         "name": "pear/archive_tar",
-        "version": "1.4.11",
-        "version_normalized": "1.4.11.0",
+        "version": "1.4.12",
+        "version_normalized": "1.4.12.0",
         "source": {
             "type": "git",
             "url": "https://github.com/pear/Archive_Tar.git",
-            "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
+            "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495"
         },
         "dist": {
             "type": "zip",
-            "url": "https://github.com/gitapi/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
-            "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
+            "url": "https://github.com/gitapi/repos/pear/Archive_Tar/zipball/19bb8e95490d3e3ad92fcac95500ca80bdcc7495",
+            "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495",
             "shasum": ""
         },
         "require": {
@@ -2486,7 +2486,7 @@
             "ext-xz": "Lzma2 compression support.",
             "ext-zlib": "Gzip compression support."
         },
-        "time": "2020-11-19T22:10:24+00:00",
+        "time": "2021-01-18T19:32:54+00:00",
         "type": "library",
         "extra": {
             "branch-alias": {
@@ -2525,6 +2525,16 @@
         "keywords": [
             "archive",
             "tar"
+        ],
+        "funding": [
+            {
+                "url": "https://github.com/mrook",
+                "type": "github"
+            },
+            {
+                "url": "https://www.patreon.com/michielrook",
+                "type": "patreon"
+            }
         ]
     },
     {

pear/archive_tar/Archive/Tar.php

@@ -1397,16 +1397,20 @@ public function _writeHeader($p_filename, $p_stored_filename)
 
         $v_magic = 'ustar ';
         $v_version = ' ';
+        $v_uname = '';
+        $v_gname = '';
 
         if (function_exists('posix_getpwuid')) {
             $userinfo = posix_getpwuid($v_info[4]);
             $groupinfo = posix_getgrgid($v_info[5]);
 
-            $v_uname = $userinfo['name'];
-            $v_gname = $groupinfo['name'];
-        } else {
-            $v_uname = '';
-            $v_gname = '';
+            if (isset($userinfo['name'])) {
+                $v_uname = $userinfo['name'];
+            }
+
+            if (isset($groupinfo['name'])) {
+                $v_gname = $groupinfo['name'];
+            }
         }
 
         $v_devmajor = '';
@@ -2120,6 +2124,14 @@ public function _extractList(
                             }
                         }
                     } elseif ($v_header['typeflag'] == "2") {
+                        if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
+                            $this->_error(
+                                 'Out-of-path file extraction {'
+                                 . $v_header['filename'] . ' --> ' .
+                                 $v_header['link'] . '}'
+                            );
+                            return false;
+                        }
                         if (!$p_symlinks) {
                             $this->_warning('Symbolic links are not allowed. '
                                 . 'Unable to extract {'

pear/archive_tar/package.xml

@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
   <email>stig@php.net</email>
   <active>no</active>
  </helper>
- <date>2020-11-19</date>
- <time>22:06:48</time>
+ <date>2021-01-18</date>
+ <time>19:29:56</time>
  <version>
-  <release>1.4.11</release>
+  <release>1.4.12</release>
   <api>1.4.0</api>
  </version>
  <stability>
@@ -44,8 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
  </stability>
  <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
  <notes>
-* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 /
-   CVE-2020-28949) [mrook]
+* Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook]
  </notes>
  <contents>
   <dir name="/">
@@ -75,7 +74,22 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
  </dependencies>
  <phprelease />
  <changelog>
-   <release>
+  <release>
+   <version>
+    <release>1.4.11</release>
+    <api>1.4.0</api>
+   </version>
+   <stability>
+    <release>stable</release>
+    <api>stable</api>
+   </stability>
+   <date>2020-11-19</date>
+   <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
+   <notes>
+* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 / CVE-2020-28949) [mrook]
+   </notes>
+  </release>
+  <release>
     <version>
      <release>1.4.10</release>
      <api>1.4.0</api>