Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 724520

Summary: <dev-php/PEAR-Archive_Tar-1.4.6: Path traversal vulnerability
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: php-bugs
Priority: Normal Keywords: ALLARCHES, CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://github.com/pear/Archive_Tar/commit/86f8afb6a11ea863ebc0dc676367a19ffa31139d
See Also: https://bugs.gentoo.org/show_bug.cgi?id=675576
Whiteboard: B4 [stable]
Package list:
=dev-php/PEAR-Archive_Tar-1.4.9
 Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-22 01:43:50 UTC 
Improved path traversal detection was introduced in PEAR-Archive_Tar 1.4.6.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-22 01:45:21 UTC 
Note that 1.4.9 includes a hardening option to disable symlinks: https://github.com/pear/Archive_Tar/commit/749b18742ba1beb1d4586cabc87443d29c97dbbd

----
@maintainer(s), please advise if ready for stabilisation or call yourself. Possibly of 1.4.9.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-04 16:56:16 UTC 
I'll go ahead in a few days if no objections.
Comment 3 NATTkA bot gentoo-dev 2020-06-04 17:00:37 UTC 
Unable to check for sanity:

> no match for package: =dev-php/PEAR-Archive_Tar-1.4.6
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-06 17:29:42 UTC 
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-06 17:32:32 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-06 17:35:40 UTC 
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-06 17:38:00 UTC 
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-06 18:11:00 UTC 
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-07 08:45:24 UTC 
amd64 stable
Comment 10 Larry the Git Cow gentoo-dev 2020-06-08 16:44:07 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e2e9ffc7ea538167dfcdfcad266ca8e1c0d67a9

commit 1e2e9ffc7ea538167dfcdfcad266ca8e1c0d67a9
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2020-06-08 16:09:33 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-06-08 16:43:41 +0000

    dev-php/PEAR-Archive_Tar: stable 1.4.9 for hppa under ALLARCHES
    
    Closes: https://bugs.gentoo.org/724520
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    RepoMan-Options: --include-arches="hppa"
    Signed-off-by: Rolf Eike Beer <eike@sf-mail.de>
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-php/PEAR-Archive_Tar/PEAR-Archive_Tar-1.4.9.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)