Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 724520 - <dev-php/PEAR-Archive_Tar-1.4.6: Path traversal vulnerability
Summary: <dev-php/PEAR-Archive_Tar-1.4.6: Path traversal vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/pear/Archive_Tar/c...
Whiteboard: B4 [stable]
Keywords: ALLARCHES, CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-05-22 01:43 UTC by Sam James
Modified: 2020-06-08 16:47 UTC (History)
1 user (show)

See Also:
Package list:
=dev-php/PEAR-Archive_Tar-1.4.9
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-22 01:43:50 UTC 
Improved path traversal detection was introduced in PEAR-Archive_Tar 1.4.6.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-22 01:45:21 UTC 
Note that 1.4.9 includes a hardening option to disable symlinks: https://github.com/pear/Archive_Tar/commit/749b18742ba1beb1d4586cabc87443d29c97dbbd

----
@maintainer(s), please advise if ready for stabilisation or call yourself. Possibly of 1.4.9.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-04 16:56:16 UTC 
I'll go ahead in a few days if no objections.
Comment 3 NATTkA bot gentoo-dev 2020-06-04 17:00:37 UTC 
Unable to check for sanity:

> no match for package: =dev-php/PEAR-Archive_Tar-1.4.6
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-06 17:29:42 UTC 
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-06 17:32:32 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-06 17:35:40 UTC 
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-06 17:38:00 UTC 
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-06 18:11:00 UTC 
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-07 08:45:24 UTC 
amd64 stable
Comment 10 Larry the Git Cow gentoo-dev 2020-06-08 16:44:07 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e2e9ffc7ea538167dfcdfcad266ca8e1c0d67a9

commit 1e2e9ffc7ea538167dfcdfcad266ca8e1c0d67a9
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2020-06-08 16:09:33 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-06-08 16:43:41 +0000

    dev-php/PEAR-Archive_Tar: stable 1.4.9 for hppa under ALLARCHES
    
    Closes: https://bugs.gentoo.org/724520
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    RepoMan-Options: --include-arches="hppa"
    Signed-off-by: Rolf Eike Beer <eike@sf-mail.de>
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-php/PEAR-Archive_Tar/PEAR-Archive_Tar-1.4.9.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)