From 099e537a03d162302c2366f7d53088d5bf623c4c Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 19 Jan 2021 08:48:37 +0000 Subject: [PATCH] [Security] Bump pear/archive_tar from 1.4.11 to 1.4.12 Bumps [pear/archive_tar](https://github.com/pear/Archive_Tar) from 1.4.11 to 1.4.12. **This update includes a security fix.** - [Release notes](https://github.com/pear/Archive_Tar/releases) - [Commits](https://github.com/pear/Archive_Tar/compare/1.4.11...1.4.12) Signed-off-by: dependabot-preview[bot] Signed-off-by: Christoph Wurst --- composer.lock | 20 ++++++++++---- composer/InstalledVersions.php | 10 +++---- composer/installed.json | 22 +++++++++++----- composer/installed.php | 10 +++---- .../src/PackageVersions/Versions.php | 4 +-- pear/archive_tar/Archive/Tar.php | 22 ++++++++++++---- pear/archive_tar/package.xml | 26 ++++++++++++++----- 7 files changed, 80 insertions(+), 34 deletions(-) diff --git a/composer.lock b/composer.lock index 01b6ef634..5da9abcf7 100644 --- a/composer.lock +++ b/composer.lock @@ -2181,16 +2181,16 @@ }, { "name": "pear/archive_tar", - "version": "1.4.11", + "version": "1.4.12", "source": { "type": "git", "url": "https://github.com/pear/Archive_Tar.git", - "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d" + "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d", - "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d", + "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/19bb8e95490d3e3ad92fcac95500ca80bdcc7495", + "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495", "shasum": "" }, "require": { @@ -2247,7 +2247,17 @@ "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=Archive_Tar", "source": "https://github.com/pear/Archive_Tar" }, - "time": "2020-11-19T22:10:24+00:00" + "funding": [ + { + "url": "https://github.com/mrook", + "type": "github" + }, + { + "url": "https://www.patreon.com/michielrook", + "type": "patreon" + } + ], + "time": "2021-01-18T19:32:54+00:00" }, { "name": "pear/console_getopt", diff --git a/composer/InstalledVersions.php b/composer/InstalledVersions.php index f41ac415f..472662d36 100644 --- a/composer/InstalledVersions.php +++ b/composer/InstalledVersions.php @@ -29,7 +29,7 @@ class InstalledVersions 'aliases' => array ( ), - 'reference' => '263574371f59d50a62558ac9a3adeb2acf3f5025', + 'reference' => 'a9db460535cf4f02e8004ccd22fefffe2a11026e', 'name' => 'nextcloud/3rdparty', ), 'versions' => @@ -302,7 +302,7 @@ class InstalledVersions 'aliases' => array ( ), - 'reference' => '263574371f59d50a62558ac9a3adeb2acf3f5025', + 'reference' => 'a9db460535cf4f02e8004ccd22fefffe2a11026e', ), 'nextcloud/lognormalizer' => array ( @@ -349,12 +349,12 @@ class InstalledVersions ), 'pear/archive_tar' => array ( - 'pretty_version' => '1.4.11', - 'version' => '1.4.11.0', + 'pretty_version' => '1.4.12', + 'version' => '1.4.12.0', 'aliases' => array ( ), - 'reference' => '17d355cb7d3c4ff08e5729f29cd7660145208d9d', + 'reference' => '19bb8e95490d3e3ad92fcac95500ca80bdcc7495', ), 'pear/console_getopt' => array ( diff --git a/composer/installed.json b/composer/installed.json index a8c30b9a2..0a77d842e 100644 --- a/composer/installed.json +++ b/composer/installed.json @@ -2274,17 +2274,17 @@ }, { "name": "pear/archive_tar", - "version": "1.4.11", - "version_normalized": "1.4.11.0", + "version": "1.4.12", + "version_normalized": "1.4.12.0", "source": { "type": "git", "url": "https://github.com/pear/Archive_Tar.git", - "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d" + "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d", - "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d", + "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/19bb8e95490d3e3ad92fcac95500ca80bdcc7495", + "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495", "shasum": "" }, "require": { @@ -2299,7 +2299,7 @@ "ext-xz": "Lzma2 compression support.", "ext-zlib": "Gzip compression support." }, - "time": "2020-11-19T22:10:24+00:00", + "time": "2021-01-18T19:32:54+00:00", "type": "library", "extra": { "branch-alias": { @@ -2343,6 +2343,16 @@ "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=Archive_Tar", "source": "https://github.com/pear/Archive_Tar" }, + "funding": [ + { + "url": "https://github.com/mrook", + "type": "github" + }, + { + "url": "https://www.patreon.com/michielrook", + "type": "patreon" + } + ], "install-path": "../pear/archive_tar" }, { diff --git a/composer/installed.php b/composer/installed.php index 4dd1d9c27..85cb45d3b 100644 --- a/composer/installed.php +++ b/composer/installed.php @@ -6,7 +6,7 @@ 'aliases' => array ( ), - 'reference' => '263574371f59d50a62558ac9a3adeb2acf3f5025', + 'reference' => 'a9db460535cf4f02e8004ccd22fefffe2a11026e', 'name' => 'nextcloud/3rdparty', ), 'versions' => @@ -279,7 +279,7 @@ 'aliases' => array ( ), - 'reference' => '263574371f59d50a62558ac9a3adeb2acf3f5025', + 'reference' => 'a9db460535cf4f02e8004ccd22fefffe2a11026e', ), 'nextcloud/lognormalizer' => array ( @@ -326,12 +326,12 @@ ), 'pear/archive_tar' => array ( - 'pretty_version' => '1.4.11', - 'version' => '1.4.11.0', + 'pretty_version' => '1.4.12', + 'version' => '1.4.12.0', 'aliases' => array ( ), - 'reference' => '17d355cb7d3c4ff08e5729f29cd7660145208d9d', + 'reference' => '19bb8e95490d3e3ad92fcac95500ca80bdcc7495', ), 'pear/console_getopt' => array ( diff --git a/composer/package-versions-deprecated/src/PackageVersions/Versions.php b/composer/package-versions-deprecated/src/PackageVersions/Versions.php index dc100bf24..9d34770af 100644 --- a/composer/package-versions-deprecated/src/PackageVersions/Versions.php +++ b/composer/package-versions-deprecated/src/PackageVersions/Versions.php @@ -66,7 +66,7 @@ final class Versions 'nikic/php-parser' => 'v4.10.4@c6d052fc58cb876152f89f532b95a8d7907e7f0e', 'opis/closure' => '3.6.1@943b5d70cc5ae7483f6aff6ff43d7e34592ca0f5', 'patchwork/jsqueeze' => 'v2.0.5@693d64850eab2ce6a7c8f7cf547e1ab46e69d542', - 'pear/archive_tar' => '1.4.11@17d355cb7d3c4ff08e5729f29cd7660145208d9d', + 'pear/archive_tar' => '1.4.12@19bb8e95490d3e3ad92fcac95500ca80bdcc7495', 'pear/console_getopt' => 'v1.4.3@a41f8d3e668987609178c7c4a9fe48fecac53fa0', 'pear/pear-core-minimal' => 'v1.10.10@625a3c429d9b2c1546438679074cac1b089116a7', 'pear/pear_exception' => 'v1.0.1@dbb42a5a0e45f3adcf99babfb2a1ba77b8ac36a7', @@ -118,7 +118,7 @@ final class Versions 'web-auth/cose-lib' => 'v3.3.1@eea6fae63ff5c81bf98c115b1be5f38a69682c16', 'web-auth/metadata-service' => 'v3.3.1@8488d3a832a38cc81c670fce05de1e515c6e64b1', 'web-auth/webauthn-lib' => 'v3.3.1@e411527a41c1013512fccdfce61681eb36484c77', - 'nextcloud/3rdparty' => 'dev-master@263574371f59d50a62558ac9a3adeb2acf3f5025', + 'nextcloud/3rdparty' => 'dev-master@a9db460535cf4f02e8004ccd22fefffe2a11026e', ); private function __construct() diff --git a/pear/archive_tar/Archive/Tar.php b/pear/archive_tar/Archive/Tar.php index 92710741c..76771d5b5 100644 --- a/pear/archive_tar/Archive/Tar.php +++ b/pear/archive_tar/Archive/Tar.php @@ -1397,16 +1397,20 @@ public function _writeHeader($p_filename, $p_stored_filename) $v_magic = 'ustar '; $v_version = ' '; + $v_uname = ''; + $v_gname = ''; if (function_exists('posix_getpwuid')) { $userinfo = posix_getpwuid($v_info[4]); $groupinfo = posix_getgrgid($v_info[5]); - $v_uname = $userinfo['name']; - $v_gname = $groupinfo['name']; - } else { - $v_uname = ''; - $v_gname = ''; + if (isset($userinfo['name'])) { + $v_uname = $userinfo['name']; + } + + if (isset($groupinfo['name'])) { + $v_gname = $groupinfo['name']; + } } $v_devmajor = ''; @@ -2120,6 +2124,14 @@ public function _extractList( } } } elseif ($v_header['typeflag'] == "2") { + if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) { + $this->_error( + 'Out-of-path file extraction {' + . $v_header['filename'] . ' --> ' . + $v_header['link'] . '}' + ); + return false; + } if (!$p_symlinks) { $this->_warning('Symbolic links are not allowed. ' . 'Unable to extract {' diff --git a/pear/archive_tar/package.xml b/pear/archive_tar/package.xml index 6edf4fd10..5da8ee884 100644 --- a/pear/archive_tar/package.xml +++ b/pear/archive_tar/package.xml @@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension. stig@php.net no - 2020-11-19 - + 2021-01-18 + - 1.4.11 + 1.4.12 1.4.0 @@ -44,8 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension. New BSD License -* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 / - CVE-2020-28949) [mrook] +* Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook] @@ -75,7 +74,22 @@ Also Lzma2 compressed archives are supported with xz extension. - + + + 1.4.11 + 1.4.0 + + + stable + stable + + 2020-11-19 + New BSD License + +* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 / CVE-2020-28949) [mrook] + + + 1.4.10 1.4.0