diff --git a/composer.lock b/composer.lock
index 01b6ef634..5da9abcf7 100644
--- a/composer.lock
+++ b/composer.lock
@@ -2181,16 +2181,16 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.11",
+ "version": "1.4.12",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
+ "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
- "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/19bb8e95490d3e3ad92fcac95500ca80bdcc7495",
+ "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495",
"shasum": ""
},
"require": {
@@ -2247,7 +2247,17 @@
"issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=Archive_Tar",
"source": "https://github.com/pear/Archive_Tar"
},
- "time": "2020-11-19T22:10:24+00:00"
+ "funding": [
+ {
+ "url": "https://github.com/mrook",
+ "type": "github"
+ },
+ {
+ "url": "https://www.patreon.com/michielrook",
+ "type": "patreon"
+ }
+ ],
+ "time": "2021-01-18T19:32:54+00:00"
},
{
"name": "pear/console_getopt",
diff --git a/composer/InstalledVersions.php b/composer/InstalledVersions.php
index f41ac415f..472662d36 100644
--- a/composer/InstalledVersions.php
+++ b/composer/InstalledVersions.php
@@ -29,7 +29,7 @@ class InstalledVersions
'aliases' =>
array (
),
- 'reference' => '263574371f59d50a62558ac9a3adeb2acf3f5025',
+ 'reference' => 'a9db460535cf4f02e8004ccd22fefffe2a11026e',
'name' => 'nextcloud/3rdparty',
),
'versions' =>
@@ -302,7 +302,7 @@ class InstalledVersions
'aliases' =>
array (
),
- 'reference' => '263574371f59d50a62558ac9a3adeb2acf3f5025',
+ 'reference' => 'a9db460535cf4f02e8004ccd22fefffe2a11026e',
),
'nextcloud/lognormalizer' =>
array (
@@ -349,12 +349,12 @@ class InstalledVersions
),
'pear/archive_tar' =>
array (
- 'pretty_version' => '1.4.11',
- 'version' => '1.4.11.0',
+ 'pretty_version' => '1.4.12',
+ 'version' => '1.4.12.0',
'aliases' =>
array (
),
- 'reference' => '17d355cb7d3c4ff08e5729f29cd7660145208d9d',
+ 'reference' => '19bb8e95490d3e3ad92fcac95500ca80bdcc7495',
),
'pear/console_getopt' =>
array (
diff --git a/composer/installed.json b/composer/installed.json
index a8c30b9a2..0a77d842e 100644
--- a/composer/installed.json
+++ b/composer/installed.json
@@ -2274,17 +2274,17 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.11",
- "version_normalized": "1.4.11.0",
+ "version": "1.4.12",
+ "version_normalized": "1.4.12.0",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
+ "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
- "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/19bb8e95490d3e3ad92fcac95500ca80bdcc7495",
+ "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495",
"shasum": ""
},
"require": {
@@ -2299,7 +2299,7 @@
"ext-xz": "Lzma2 compression support.",
"ext-zlib": "Gzip compression support."
},
- "time": "2020-11-19T22:10:24+00:00",
+ "time": "2021-01-18T19:32:54+00:00",
"type": "library",
"extra": {
"branch-alias": {
@@ -2343,6 +2343,16 @@
"issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=Archive_Tar",
"source": "https://github.com/pear/Archive_Tar"
},
+ "funding": [
+ {
+ "url": "https://github.com/mrook",
+ "type": "github"
+ },
+ {
+ "url": "https://www.patreon.com/michielrook",
+ "type": "patreon"
+ }
+ ],
"install-path": "../pear/archive_tar"
},
{
diff --git a/composer/installed.php b/composer/installed.php
index 4dd1d9c27..85cb45d3b 100644
--- a/composer/installed.php
+++ b/composer/installed.php
@@ -6,7 +6,7 @@
'aliases' =>
array (
),
- 'reference' => '263574371f59d50a62558ac9a3adeb2acf3f5025',
+ 'reference' => 'a9db460535cf4f02e8004ccd22fefffe2a11026e',
'name' => 'nextcloud/3rdparty',
),
'versions' =>
@@ -279,7 +279,7 @@
'aliases' =>
array (
),
- 'reference' => '263574371f59d50a62558ac9a3adeb2acf3f5025',
+ 'reference' => 'a9db460535cf4f02e8004ccd22fefffe2a11026e',
),
'nextcloud/lognormalizer' =>
array (
@@ -326,12 +326,12 @@
),
'pear/archive_tar' =>
array (
- 'pretty_version' => '1.4.11',
- 'version' => '1.4.11.0',
+ 'pretty_version' => '1.4.12',
+ 'version' => '1.4.12.0',
'aliases' =>
array (
),
- 'reference' => '17d355cb7d3c4ff08e5729f29cd7660145208d9d',
+ 'reference' => '19bb8e95490d3e3ad92fcac95500ca80bdcc7495',
),
'pear/console_getopt' =>
array (
diff --git a/composer/package-versions-deprecated/src/PackageVersions/Versions.php b/composer/package-versions-deprecated/src/PackageVersions/Versions.php
index dc100bf24..9d34770af 100644
--- a/composer/package-versions-deprecated/src/PackageVersions/Versions.php
+++ b/composer/package-versions-deprecated/src/PackageVersions/Versions.php
@@ -66,7 +66,7 @@ final class Versions
'nikic/php-parser' => 'v4.10.4@c6d052fc58cb876152f89f532b95a8d7907e7f0e',
'opis/closure' => '3.6.1@943b5d70cc5ae7483f6aff6ff43d7e34592ca0f5',
'patchwork/jsqueeze' => 'v2.0.5@693d64850eab2ce6a7c8f7cf547e1ab46e69d542',
- 'pear/archive_tar' => '1.4.11@17d355cb7d3c4ff08e5729f29cd7660145208d9d',
+ 'pear/archive_tar' => '1.4.12@19bb8e95490d3e3ad92fcac95500ca80bdcc7495',
'pear/console_getopt' => 'v1.4.3@a41f8d3e668987609178c7c4a9fe48fecac53fa0',
'pear/pear-core-minimal' => 'v1.10.10@625a3c429d9b2c1546438679074cac1b089116a7',
'pear/pear_exception' => 'v1.0.1@dbb42a5a0e45f3adcf99babfb2a1ba77b8ac36a7',
@@ -118,7 +118,7 @@ final class Versions
'web-auth/cose-lib' => 'v3.3.1@eea6fae63ff5c81bf98c115b1be5f38a69682c16',
'web-auth/metadata-service' => 'v3.3.1@8488d3a832a38cc81c670fce05de1e515c6e64b1',
'web-auth/webauthn-lib' => 'v3.3.1@e411527a41c1013512fccdfce61681eb36484c77',
- 'nextcloud/3rdparty' => 'dev-master@263574371f59d50a62558ac9a3adeb2acf3f5025',
+ 'nextcloud/3rdparty' => 'dev-master@a9db460535cf4f02e8004ccd22fefffe2a11026e',
);
private function __construct()
diff --git a/pear/archive_tar/Archive/Tar.php b/pear/archive_tar/Archive/Tar.php
index 92710741c..76771d5b5 100644
--- a/pear/archive_tar/Archive/Tar.php
+++ b/pear/archive_tar/Archive/Tar.php
@@ -1397,16 +1397,20 @@ public function _writeHeader($p_filename, $p_stored_filename)
$v_magic = 'ustar ';
$v_version = ' ';
+ $v_uname = '';
+ $v_gname = '';
if (function_exists('posix_getpwuid')) {
$userinfo = posix_getpwuid($v_info[4]);
$groupinfo = posix_getgrgid($v_info[5]);
- $v_uname = $userinfo['name'];
- $v_gname = $groupinfo['name'];
- } else {
- $v_uname = '';
- $v_gname = '';
+ if (isset($userinfo['name'])) {
+ $v_uname = $userinfo['name'];
+ }
+
+ if (isset($groupinfo['name'])) {
+ $v_gname = $groupinfo['name'];
+ }
}
$v_devmajor = '';
@@ -2120,6 +2124,14 @@ public function _extractList(
}
}
} elseif ($v_header['typeflag'] == "2") {
+ if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
+ $this->_error(
+ 'Out-of-path file extraction {'
+ . $v_header['filename'] . ' --> ' .
+ $v_header['link'] . '}'
+ );
+ return false;
+ }
if (!$p_symlinks) {
$this->_warning('Symbolic links are not allowed. '
. 'Unable to extract {'
diff --git a/pear/archive_tar/package.xml b/pear/archive_tar/package.xml
index 6edf4fd10..5da8ee884 100644
--- a/pear/archive_tar/package.xml
+++ b/pear/archive_tar/package.xml
@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.
stig@php.net
no
- 2020-11-19
-
+ 2021-01-18
+
- 1.4.11
+ 1.4.12
1.4.0
@@ -44,8 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.
New BSD License
-* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 /
- CVE-2020-28949) [mrook]
+* Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook]
@@ -75,7 +74,22 @@ Also Lzma2 compressed archives are supported with xz extension.
-
+
+
+ 1.4.11
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2020-11-19
+ New BSD License
+
+* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 / CVE-2020-28949) [mrook]
+
+
+
1.4.10
1.4.0