Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 755653 - <dev-php/PEAR-Archive_Tar-1.4.11: Multiple vulnerabilities (CVE-2020-28949)
Summary: <dev-php/PEAR-Archive_Tar-1.4.11: Multiple vulnerabilities (CVE-2020-28949)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/pear/Archive_Tar/i...
Whiteboard: B3 [glsa+ cve]
Keywords: ALLARCHES
Depends on:
Blocks: CVE-2020-28948, CVE-2020-28949
  Show dependency tree
 
Reported: 2020-11-20 05:04 UTC by Sam James
Modified: 2021-01-26 00:22 UTC (History)
1 user (show)

See Also:
Package list:
dev-php/PEAR-Archive_Tar-1.4.11 *
Runtime testing required: ---
nattka: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-20 05:04:22 UTC 
Description:
"Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed."

Patch: https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da

Please bump to 1.4.11.
Comment 1 Larry the Git Cow gentoo-dev 2020-11-20 14:00:01 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8cf5201eed5b8242807379bffa68d9755bd9728

commit a8cf5201eed5b8242807379bffa68d9755bd9728
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2020-11-20 13:57:05 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2020-11-20 13:57:05 +0000

    dev-php/PEAR-Archive_Tar: Security bump for 1.4.11
    
    Bug: https://bugs.gentoo.org/755653
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-php/PEAR-Archive_Tar/Manifest                  |  1 +
 .../PEAR-Archive_Tar-1.4.11.ebuild                 | 31 ++++++++++++++++++++++
 2 files changed, 32 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-20 14:12:14 UTC 
Thanks for quick bump! Let us know when it's ready to stable.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-06 17:41:22 UTC 
ping, ready?
Comment 4 Larry the Git Cow gentoo-dev 2020-12-06 19:17:27 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35a1dd59ffaec64623d0a799248c48e43eab5db7

commit 35a1dd59ffaec64623d0a799248c48e43eab5db7
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-12-06 19:17:19 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-12-06 19:17:19 +0000

    dev-php/PEAR-Archive_Tar: security cleanup
    
    Bug: https://bugs.gentoo.org/755653
    Package-Manager: Portage-3.0.10, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-php/PEAR-Archive_Tar/Manifest                  |  1 -
 .../PEAR-Archive_Tar-1.4.10.ebuild                 | 31 ----------------------
 2 files changed, 32 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c95a8e2e2ded25f3539fde41e392a3e780dd874b

commit c95a8e2e2ded25f3539fde41e392a3e780dd874b
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-12-06 19:17:00 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-12-06 19:17:00 +0000

    dev-php/PEAR-Archive_Tar: x86 stable, applying ALLARCHES policy
    
    Bug: https://bugs.gentoo.org/755653
    Package-Manager: Portage-3.0.10, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-php/PEAR-Archive_Tar/PEAR-Archive_Tar-1.4.11.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 NATTkA bot gentoo-dev 2021-01-20 15:20:54 UTC 
Unable to check for sanity:

> no match for package: dev-php/PEAR-Archive_Tar-1.4.11
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2021-01-26 00:22:14 UTC 
This issue was resolved and addressed in
 GLSA 202101-23 at https://security.gentoo.org/glsa/202101-23
by GLSA coordinator Sam James (sam_c).