757246 – (CVE-2020-28948, CVE-2020-28949) [Tracker] Vulnerabilities in <dev-php/PEAR-Archive_Tar-1.4.11 (CVE-2020-{28948,28949})

Bug 757246 (CVE-2020-28948, CVE-2020-28949) - [Tracker] Vulnerabilities in <dev-php/PEAR-Archive_Tar-1.4.11 (CVE-2020-{28948,28949})

Summary: [Tracker] Vulnerabilities in <dev-php/PEAR-Archive_Tar-1.4.11 (CVE-2020-{2894...

Status:	RESOLVED FIXED

Alias:	CVE-2020-28948, CVE-2020-28949

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://www.drupal.org/sa-core-2020-013
Whiteboard:
Keywords:	Tracker

Depends on:	755653 757252
Blocks:
	Show dependency tree

Reported:	2020-11-27 17:07 UTC by John Helmert III
Modified:	2021-01-26 00:29 UTC (History)
CC List:	0 users

See Also:	CVE-2020-36193
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-11-27 17:07:01 UTC

Drupal reports RCE via certain tarball archive upload due to CVE-2020-28948 and CVE-2020-28949.

CVE-2020-28948:

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

CVE-2020-28949:

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Comment 1 John Helmert III archtester

2021-01-26 00:29:32 UTC

Dead tracker.