diff --git a/.gitignore b/.gitignore
index 7e82305a2..981b0f04a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,6 +33,7 @@ doctrine/inflector/tests
doctrine/lexer/composer.json
doctrine/lexer/LICENSE
+pear/archive_tar/.github
pear/archive_tar/.travis.sh
pear/archive_tar/.travis.yml
pear/archive_tar/tests/
diff --git a/composer.json b/composer.json
index 8b1e17f56..ad458335f 100644
--- a/composer.json
+++ b/composer.json
@@ -28,7 +28,7 @@
"nikic/php-parser": "^4.2",
"patchwork/jsqueeze": "^2.0",
"patchwork/utf8": "1.3.1",
- "pear/archive_tar": "1.4.11",
+ "pear/archive_tar": "1.4.12",
"pear/pear-core-minimal": "^v1.10",
"phpseclib/phpseclib": "2.0.25",
"php-opencloud/openstack": "3.0.7",
diff --git a/composer.lock b/composer.lock
index 15ced0257..0b0b010b1 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "38b7f3fc2d479aa01e20d0b16416ebf8",
+ "content-hash": "b2d3c34b7087612c3f564f429684234e",
"packages": [
{
"name": "aws/aws-sdk-php",
@@ -2392,20 +2392,21 @@
"utf-8",
"utf8"
],
+ "abandoned": "symfony/polyfill-mbstring or symfony/string",
"time": "2016-05-18T13:57:10+00:00"
},
{
"name": "pear/archive_tar",
- "version": "1.4.11",
+ "version": "1.4.12",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
+ "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495"
},
"dist": {
"type": "zip",
- "url": "https://github.com/gitapi/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
- "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
+ "url": "https://github.com/gitapi/repos/pear/Archive_Tar/zipball/19bb8e95490d3e3ad92fcac95500ca80bdcc7495",
+ "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495",
"shasum": ""
},
"require": {
@@ -2458,7 +2459,17 @@
"archive",
"tar"
],
- "time": "2020-11-19T22:10:24+00:00"
+ "funding": [
+ {
+ "url": "https://github.com/mrook",
+ "type": "github"
+ },
+ {
+ "url": "https://www.patreon.com/michielrook",
+ "type": "patreon"
+ }
+ ],
+ "time": "2021-01-18T19:32:54+00:00"
},
{
"name": "pear/console_getopt",
diff --git a/composer/installed.json b/composer/installed.json
index b9df96c22..91ea8721d 100644
--- a/composer/installed.json
+++ b/composer/installed.json
@@ -2461,17 +2461,17 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.11",
- "version_normalized": "1.4.11.0",
+ "version": "1.4.12",
+ "version_normalized": "1.4.12.0",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
+ "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495"
},
"dist": {
"type": "zip",
- "url": "https://github.com/gitapi/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
- "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
+ "url": "https://github.com/gitapi/repos/pear/Archive_Tar/zipball/19bb8e95490d3e3ad92fcac95500ca80bdcc7495",
+ "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495",
"shasum": ""
},
"require": {
@@ -2486,7 +2486,7 @@
"ext-xz": "Lzma2 compression support.",
"ext-zlib": "Gzip compression support."
},
- "time": "2020-11-19T22:10:24+00:00",
+ "time": "2021-01-18T19:32:54+00:00",
"type": "library",
"extra": {
"branch-alias": {
@@ -2525,6 +2525,16 @@
"keywords": [
"archive",
"tar"
+ ],
+ "funding": [
+ {
+ "url": "https://github.com/mrook",
+ "type": "github"
+ },
+ {
+ "url": "https://www.patreon.com/michielrook",
+ "type": "patreon"
+ }
]
},
{
diff --git a/pear/archive_tar/Archive/Tar.php b/pear/archive_tar/Archive/Tar.php
index 92710741c..76771d5b5 100644
--- a/pear/archive_tar/Archive/Tar.php
+++ b/pear/archive_tar/Archive/Tar.php
@@ -1397,16 +1397,20 @@ public function _writeHeader($p_filename, $p_stored_filename)
$v_magic = 'ustar ';
$v_version = ' ';
+ $v_uname = '';
+ $v_gname = '';
if (function_exists('posix_getpwuid')) {
$userinfo = posix_getpwuid($v_info[4]);
$groupinfo = posix_getgrgid($v_info[5]);
- $v_uname = $userinfo['name'];
- $v_gname = $groupinfo['name'];
- } else {
- $v_uname = '';
- $v_gname = '';
+ if (isset($userinfo['name'])) {
+ $v_uname = $userinfo['name'];
+ }
+
+ if (isset($groupinfo['name'])) {
+ $v_gname = $groupinfo['name'];
+ }
}
$v_devmajor = '';
@@ -2120,6 +2124,14 @@ public function _extractList(
}
}
} elseif ($v_header['typeflag'] == "2") {
+ if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
+ $this->_error(
+ 'Out-of-path file extraction {'
+ . $v_header['filename'] . ' --> ' .
+ $v_header['link'] . '}'
+ );
+ return false;
+ }
if (!$p_symlinks) {
$this->_warning('Symbolic links are not allowed. '
. 'Unable to extract {'
diff --git a/pear/archive_tar/package.xml b/pear/archive_tar/package.xml
index 6edf4fd10..5da8ee884 100644
--- a/pear/archive_tar/package.xml
+++ b/pear/archive_tar/package.xml
@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.
stig@php.net
no
- 2020-11-19
-
+ 2021-01-18
+
- 1.4.11
+ 1.4.12
1.4.0
@@ -44,8 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.
New BSD License
-* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 /
- CVE-2020-28949) [mrook]
+* Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook]
@@ -75,7 +74,22 @@ Also Lzma2 compressed archives are supported with xz extension.
-
+
+
+ 1.4.11
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2020-11-19
+ New BSD License
+
+* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 / CVE-2020-28949) [mrook]
+
+
+
1.4.10
1.4.0