Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 803227 - <dev-php/PEAR-Archive_Tar-1.4.14: Directory traversal vulnerability (CVE-2021-32610)
Summary: <dev-php/PEAR-Archive_Tar-1.4.14: Directory traversal vulnerability (CVE-2021...
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks: CVE-2021-32610
  Show dependency tree
 
Reported: 2021-07-21 13:05 UTC by Brian Evans
Modified: 2021-08-14 04:02 UTC (History)
2 users (show)

See Also:
Package list:
dev-php/PEAR-Archive_Tar-1.4.14
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Evans Gentoo Infrastructure gentoo-dev 2021-07-21 13:05:37 UTC
"Tar.php in Archive_Tar through 1.4.13 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2021-32610."
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2021-07-21 13:09:35 UTC
This is actually a fix of the fix for CVE-2020-36193
Comment 2 John Helmert III gentoo-dev Security 2021-07-21 21:59:01 UTC
Is this fixed in Archive_Tar?
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:20:44 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:28:49 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:36:47 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:44:49 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:52:53 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:56:48 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:00:48 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:09:06 UTC Comment hidden (obsolete)
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-10 03:34:41 UTC
ping, ready to stable?
Comment 12 Brian Evans Gentoo Infrastructure gentoo-dev 2021-08-12 13:44:12 UTC
(In reply to Sam James from comment #11)
> ping, ready to stable?

Yes that's fine
Comment 13 Agostino Sarubbo gentoo-dev 2021-08-13 06:51:56 UTC
ALLARCHES stable.
Comment 14 John Helmert III gentoo-dev Security 2021-08-13 19:25:09 UTC
Please cleanup.
Comment 15 Larry the Git Cow gentoo-dev 2021-08-13 19:27:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73fab5f94d217f525340e886f2637ade8e0907ef

commit 73fab5f94d217f525340e886f2637ade8e0907ef
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-08-13 19:26:47 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-08-13 19:27:54 +0000

    dev-php/PEAR-Archive_Tar: Drop old
    
    Bug: https://bugs.gentoo.org/803227
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-php/PEAR-Archive_Tar/Manifest                  |  2 -
 .../PEAR-Archive_Tar-1.4.12.ebuild                 | 50 ----------------------
 .../PEAR-Archive_Tar-1.4.13.ebuild                 | 50 ----------------------
 3 files changed, 102 deletions(-)
Comment 16 John Helmert III gentoo-dev Security 2021-08-14 04:02:54 UTC
Thank you!