Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 757246 (CVE-2020-28948, CVE-2020-28949) - [Tracker] Vulnerabilities in <dev-php/PEAR-Archive_Tar-1.4.11 (CVE-2020-{28948,28949})
Summary: [Tracker] Vulnerabilities in <dev-php/PEAR-Archive_Tar-1.4.11 (CVE-2020-{2894...
Status: RESOLVED FIXED
Alias: CVE-2020-28948, CVE-2020-28949
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.drupal.org/sa-core-2020-013
Whiteboard:
Keywords: Tracker
Depends on: 755653 757252
Blocks:
  Show dependency tree
 
Reported: 2020-11-27 17:07 UTC by John Helmert III
Modified: 2021-01-26 00:29 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-11-27 17:07:01 UTC
Drupal reports RCE via certain tarball archive upload due to CVE-2020-28948 and CVE-2020-28949.

CVE-2020-28948:

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

CVE-2020-28949:

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
Comment 1 John Helmert III gentoo-dev Security 2021-01-26 00:29:32 UTC
Dead tracker.