diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2021-09-13 11:36:47 +0300 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2021-09-13 11:36:47 +0300 |
| commit | b299531b78c1493d6a03cc1829fe8b3cb1b1e723 (patch) | |
| tree | b78ffed14dd32ebab4082b8cdcb4a544f0d48ff6 | |
| parent | bb3b8160b897f8474ba27dd8c1bd6a408c519a07 (diff) | |
[stable19] Bump archive_tar to latest releasestable19-bump-archive
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
| -rw-r--r-- | composer.json | 2 | ||||
| -rw-r--r-- | composer.lock | 16 | ||||
| -rw-r--r-- | composer/installed.json | 16 | ||||
| -rw-r--r-- | composer/installed.php | 10 | ||||
| -rw-r--r-- | pear/archive_tar/Archive/Tar.php | 44 | ||||
| -rw-r--r-- | pear/archive_tar/README.md | 2 | ||||
| -rw-r--r-- | pear/archive_tar/package.xml | 38 |
7 files changed, 96 insertions, 32 deletions
diff --git a/composer.json b/composer.json index b0fd6f9e..5da3838f 100644 --- a/composer.json +++ b/composer.json @@ -28,7 +28,7 @@ "nikic/php-parser": "^4.2", "patchwork/jsqueeze": "^2.0", "patchwork/utf8": "1.3.1", - "pear/archive_tar": "1.4.12", + "pear/archive_tar": "1.4.14", "pear/pear-core-minimal": "^v1.10", "phpseclib/phpseclib": "2.0.31", "php-opencloud/openstack": "3.0.7", diff --git a/composer.lock b/composer.lock index c5576463..f50022b9 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "9c6212de31a4d05911f32fb1fabb3db8", + "content-hash": "317fc1945ee54daa5b6d46d7d69a0882", "packages": [ { "name": "aws/aws-sdk-php", @@ -2429,16 +2429,16 @@ }, { "name": "pear/archive_tar", - "version": "1.4.12", + "version": "1.4.14", "source": { "type": "git", "url": "https://github.com/pear/Archive_Tar.git", - "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495" + "reference": "4d761c5334c790e45ef3245f0864b8955c562caa" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/19bb8e95490d3e3ad92fcac95500ca80bdcc7495", - "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495", + "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/4d761c5334c790e45ef3245f0864b8955c562caa", + "reference": "4d761c5334c790e45ef3245f0864b8955c562caa", "shasum": "" }, "require": { @@ -2491,6 +2491,10 @@ "archive", "tar" ], + "support": { + "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=Archive_Tar", + "source": "https://github.com/pear/Archive_Tar" + }, "funding": [ { "url": "https://github.com/mrook", @@ -2501,7 +2505,7 @@ "type": "patreon" } ], - "time": "2021-01-18T19:32:54+00:00" + "time": "2021-07-20T13:53:39+00:00" }, { "name": "pear/console_getopt", diff --git a/composer/installed.json b/composer/installed.json index aa0b2c11..53f83fcb 100644 --- a/composer/installed.json +++ b/composer/installed.json @@ -2529,17 +2529,17 @@ }, { "name": "pear/archive_tar", - "version": "1.4.12", - "version_normalized": "1.4.12.0", + "version": "1.4.14", + "version_normalized": "1.4.14.0", "source": { "type": "git", "url": "https://github.com/pear/Archive_Tar.git", - "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495" + "reference": "4d761c5334c790e45ef3245f0864b8955c562caa" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/19bb8e95490d3e3ad92fcac95500ca80bdcc7495", - "reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495", + "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/4d761c5334c790e45ef3245f0864b8955c562caa", + "reference": "4d761c5334c790e45ef3245f0864b8955c562caa", "shasum": "" }, "require": { @@ -2554,7 +2554,7 @@ "ext-xz": "Lzma2 compression support.", "ext-zlib": "Gzip compression support." }, - "time": "2021-01-18T19:32:54+00:00", + "time": "2021-07-20T13:53:39+00:00", "type": "library", "extra": { "branch-alias": { @@ -2594,6 +2594,10 @@ "archive", "tar" ], + "support": { + "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=Archive_Tar", + "source": "https://github.com/pear/Archive_Tar" + }, "funding": [ { "url": "https://github.com/mrook", diff --git a/composer/installed.php b/composer/installed.php index c20f76b6..0420f2f0 100644 --- a/composer/installed.php +++ b/composer/installed.php @@ -5,7 +5,7 @@ 'type' => 'library', 'install_path' => __DIR__ . '/../', 'aliases' => array(), - 'reference' => '28d59882293145ed2e3719f4af2fe2dbc83e6513', + 'reference' => 'bb3b8160b897f8474ba27dd8c1bd6a408c519a07', 'name' => 'nextcloud/3rdparty', 'dev' => false, ), @@ -331,7 +331,7 @@ 'type' => 'library', 'install_path' => __DIR__ . '/../', 'aliases' => array(), - 'reference' => '28d59882293145ed2e3719f4af2fe2dbc83e6513', + 'reference' => 'bb3b8160b897f8474ba27dd8c1bd6a408c519a07', 'dev_requirement' => false, ), 'nikic/php-parser' => array( @@ -371,12 +371,12 @@ 'dev_requirement' => false, ), 'pear/archive_tar' => array( - 'pretty_version' => '1.4.12', - 'version' => '1.4.12.0', + 'pretty_version' => '1.4.14', + 'version' => '1.4.14.0', 'type' => 'library', 'install_path' => __DIR__ . '/../pear/archive_tar', 'aliases' => array(), - 'reference' => '19bb8e95490d3e3ad92fcac95500ca80bdcc7495', + 'reference' => '4d761c5334c790e45ef3245f0864b8955c562caa', 'dev_requirement' => false, ), 'pear/console_getopt' => array( diff --git a/pear/archive_tar/Archive/Tar.php b/pear/archive_tar/Archive/Tar.php index 76771d5b..3356ad6a 100644 --- a/pear/archive_tar/Archive/Tar.php +++ b/pear/archive_tar/Archive/Tar.php @@ -257,7 +257,7 @@ class Archive_Tar extends PEAR { $this->_close(); // ----- Look for a local copy to delete - if ($this->_temp_tarname != '') { + if ($this->_temp_tarname != '' && (bool) preg_match('/^tar[[:alnum:]]*\.tmp$/', $this->_temp_tarname)) { @unlink($this->_temp_tarname); } } @@ -2124,14 +2124,6 @@ class Archive_Tar extends PEAR } } } elseif ($v_header['typeflag'] == "2") { - if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) { - $this->_error( - 'Out-of-path file extraction {' - . $v_header['filename'] . ' --> ' . - $v_header['link'] . '}' - ); - return false; - } if (!$p_symlinks) { $this->_warning('Symbolic links are not allowed. ' . 'Unable to extract {' @@ -2139,6 +2131,40 @@ class Archive_Tar extends PEAR ); return false; } + $absolute_link = FALSE; + $link_depth = 0; + if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) { + $absolute_link = TRUE; + } + else { + $s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']); + $s_linkname = str_replace('\\', '/', $v_header['link']); + foreach (explode("/", $s_filename) as $dir) { + if ($dir === "..") { + $link_depth--; + } elseif ($dir !== "" && $dir !== "." ) { + $link_depth++; + } + } + foreach (explode("/", $s_linkname) as $dir){ + if ($link_depth <= 0) { + break; + } + if ($dir === "..") { + $link_depth--; + } elseif ($dir !== "" && $dir !== ".") { + $link_depth++; + } + } + } + if ($absolute_link || $link_depth <= 0) { + $this->_error( + 'Out-of-path file extraction {' + . $v_header['filename'] . ' --> ' . + $v_header['link'] . '}' + ); + return false; + } if (@file_exists($v_header['filename'])) { @unlink($v_header['filename']); } diff --git a/pear/archive_tar/README.md b/pear/archive_tar/README.md index 96e95713..f9c53be1 100644 --- a/pear/archive_tar/README.md +++ b/pear/archive_tar/README.md @@ -1,7 +1,7 @@ Archive_Tar ========== -[](https://travis-ci.org/pear/Archive_Tar) + This package provides handling of tar files in PHP. It supports creating, listing, extracting and adding to tar files. diff --git a/pear/archive_tar/package.xml b/pear/archive_tar/package.xml index 5da8ee88..d4f20bd4 100644 --- a/pear/archive_tar/package.xml +++ b/pear/archive_tar/package.xml @@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.</description> <email>stig@php.net</email> <active>no</active> </helper> - <date>2021-01-18</date> - <time>19:29:56</time> + <date>2021-07-20</date> + <time>18:00:00</time> <version> - <release>1.4.12</release> + <release>1.4.14</release> <api>1.4.0</api> </version> <stability> @@ -44,7 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.</description> </stability> <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license> <notes> -* Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook] +* Properly fix symbolic link path traversal (CVE-2021-32610) </notes> <contents> <dir name="/"> @@ -76,6 +76,36 @@ Also Lzma2 compressed archives are supported with xz extension.</description> <changelog> <release> <version> + <release>1.4.13</release> + <api>1.4.0</api> + </version> + <stability> + <release>stable</release> + <api>stable</api> + </stability> + <date>2021-02-16</date> + <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license> + <notes> + * Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook] + </notes> + </release> + <release> + <version> + <release>1.4.12</release> + <api>1.4.0</api> + </version> + <stability> + <release>stable</release> + <api>stable</api> + </stability> + <date>2021-01-18</date> + <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license> + <notes> +* Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook] + </notes> + </release> + <release> + <version> <release>1.4.11</release> <api>1.4.0</api> </version> |