From URL: When constructing PHAR/TAR archive using PharData::buildFromDirectory and PharData::buildFromIterator, file paths returned by RecursiveIteratorIterator is validated to ensure that files are from inside the specified directory: https://github.com/php/php-src/blob/aff365871aec54c9a556d7667f131b8638d20194/ext/phar/phar_object.c#L1504 However, due to the check being too lenient, it can be bypassed with the following values: - base: /usr/foo - fname: /usr/foobar or - base: /tmp - fname: /var/tmp Expected result: ---------------- UnexpectedValueException is thrown. Fatal error: Uncaught UnexpectedValueException: Iterator RecursiveIteratorIterator returned a path "/tmp/usr/foobar/file" that is not in the base directory "/tmp/usr/foo"... Actual result: -------------- /tmp/usr/foobar/file (which is outside of the base directory /tmp/usr/foo) is included in archive.tar Seems fixed in 7.3.20 and 7.4.23, so please bump.
Please stable when ready.
ping
Earliest fixed version in tree should be the one in the summary (and thus recommended as the minimum version to users to fix the vulnerability)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=4447c90f117a8f0928cc5e880f3cfc9fde7ee918 commit 4447c90f117a8f0928cc5e880f3cfc9fde7ee918 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:23:13 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:48:00 +0000 [ GLSA 202209-20 ] PHP: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/799776 Bug: https://bugs.gentoo.org/810526 Bug: https://bugs.gentoo.org/819510 Bug: https://bugs.gentoo.org/833585 Bug: https://bugs.gentoo.org/850772 Bug: https://bugs.gentoo.org/857054 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-20.xml | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+)
GLSA released, all done!
