From MITRE CVE entry: "PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4." Other references: http://blog.pear.php.net/2018/12/20/security-vulnerability-announcement-archive_tar/ http://pear.php.net/package/Archive_Tar/download/ https://pear.php.net/bugs/bug.php?id=23782 Please note the vulnerability is reported as being fixed in 1.4.4, but 1.4.4 introduced a regression so a further release (1.4.5) was made (see http://pear.php.net/bugs/bug.php?id=23788 ). So of course the overall solution is to bump to the latest version 1.4.5. Reproducible: Didn't try
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca18a3ab3298533a4d2b035018f738f8cb4df5ad commit ca18a3ab3298533a4d2b035018f738f8cb4df5ad Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2019-01-16 14:56:53 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2019-01-16 14:56:53 +0000 dev-php/PEAR-Archive_Tar: Version bump for 1.4.5 Bug: https://bugs.gentoo.org/675576 Package-Manager: Portage-2.3.56, Repoman-2.3.12 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-php/PEAR-Archive_Tar/Manifest | 1 + .../PEAR-Archive_Tar/PEAR-Archive_Tar-1.4.5.ebuild | 31 ++++++++++++++++++++++ 2 files changed, 32 insertions(+)
Please test and mark stable As this is pure PHP text code, the ALLARCHES policy applies
All arches done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a158d06fe1dca9963ddbf792635adcbae1f6f73 commit 5a158d06fe1dca9963ddbf792635adcbae1f6f73 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2019-01-24 23:30:11 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2019-01-24 23:30:11 +0000 dev-php/PEAR-Archive_Tar: Drop vulnerable version Bug: https://bugs.gentoo.org/675576 Package-Manager: Portage-2.3.57, Repoman-2.3.12 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-php/PEAR-Archive_Tar/Manifest | 1 - .../PEAR-Archive_Tar/PEAR-Archive_Tar-1.4.3.ebuild | 31 ---------------------- 2 files changed, 32 deletions(-)
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
This issue was resolved and addressed in GLSA 202006-14 at https://security.gentoo.org/glsa/202006-14 by GLSA coordinator Aaron Bauman (b-man).
