diff --git a/composer.json b/composer.json
index 9ed83e02c..8b1e17f56 100644
--- a/composer.json
+++ b/composer.json
@@ -28,7 +28,7 @@
"nikic/php-parser": "^4.2",
"patchwork/jsqueeze": "^2.0",
"patchwork/utf8": "1.3.1",
- "pear/archive_tar": "1.4.9",
+ "pear/archive_tar": "1.4.11",
"pear/pear-core-minimal": "^v1.10",
"phpseclib/phpseclib": "2.0.25",
"php-opencloud/openstack": "3.0.7",
diff --git a/composer.lock b/composer.lock
index 158561c11..15ced0257 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "eb35efa759d73ba474004fc466207ae1",
+ "content-hash": "38b7f3fc2d479aa01e20d0b16416ebf8",
"packages": [
{
"name": "aws/aws-sdk-php",
@@ -1613,7 +1613,7 @@
"time": "2015-08-01T16:27:37+00:00"
},
{
- "name": "jeremeamia/SuperClosure",
+ "name": "jeremeamia/superclosure",
"version": "2.4.0",
"source": {
"type": "git",
@@ -1901,6 +1901,12 @@
"url",
"ws"
],
+ "funding": [
+ {
+ "url": "https://github.com/sponsors/nyamsprod",
+ "type": "github"
+ }
+ ],
"time": "2020-03-17T14:40:17+00:00"
},
{
@@ -2390,16 +2396,16 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.9",
+ "version": "1.4.11",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0"
+ "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/c5b00053770e1d72128252c62c2c1a12c26639f0",
- "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
+ "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
"shasum": ""
},
"require": {
@@ -2452,7 +2458,7 @@
"archive",
"tar"
],
- "time": "2019-12-04T10:17:28+00:00"
+ "time": "2020-11-19T22:10:24+00:00"
},
{
"name": "pear/console_getopt",
@@ -4411,6 +4417,20 @@
"polyfill",
"portable"
],
+ "funding": [
+ {
+ "url": "https://symfony.com/sponsor",
+ "type": "custom"
+ },
+ {
+ "url": "https://github.com/fabpot",
+ "type": "github"
+ },
+ {
+ "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+ "type": "tidelift"
+ }
+ ],
"time": "2020-02-27T09:26:54+00:00"
},
{
diff --git a/composer/installed.json b/composer/installed.json
index 3b2306c6c..b9df96c22 100644
--- a/composer/installed.json
+++ b/composer/installed.json
@@ -2461,17 +2461,17 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.9",
- "version_normalized": "1.4.9.0",
+ "version": "1.4.11",
+ "version_normalized": "1.4.11.0",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0"
+ "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/c5b00053770e1d72128252c62c2c1a12c26639f0",
- "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
+ "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
"shasum": ""
},
"require": {
@@ -2486,7 +2486,7 @@
"ext-xz": "Lzma2 compression support.",
"ext-zlib": "Gzip compression support."
},
- "time": "2019-12-04T10:17:28+00:00",
+ "time": "2020-11-19T22:10:24+00:00",
"type": "library",
"extra": {
"branch-alias": {
diff --git a/pear/archive_tar/.gitignore b/pear/archive_tar/.gitignore
index c32ccd7cc..c703991e8 100644
--- a/pear/archive_tar/.gitignore
+++ b/pear/archive_tar/.gitignore
@@ -8,3 +8,8 @@ vendor
.buildpath
.project
.settings
+# pear
+.tarballs
+*.tgz
+# phpunit
+build
diff --git a/pear/archive_tar/Archive/Tar.php b/pear/archive_tar/Archive/Tar.php
index 2f328c227..92710741c 100644
--- a/pear/archive_tar/Archive/Tar.php
+++ b/pear/archive_tar/Archive/Tar.php
@@ -731,7 +731,7 @@ public function setIgnoreRegexp($regexp)
*/
public function setIgnoreList($list)
{
- $regexp = str_replace(array('#', '.', '^', '$'), array('\#', '\.', '\^', '\$'), $list);
+ $list = str_replace(array('#', '.', '^', '$'), array('\#', '\.', '\^', '\$'), $list);
$regexp = '#/' . join('$|/', $list) . '#';
$this->setIgnoreRegexp($regexp);
}
@@ -1273,7 +1273,7 @@ public function _addFile($p_filename, &$p_header, $p_add_dir, $p_remove_dir, $v_
while (($v_buffer = fread($v_file, $this->buffer_length)) != '') {
$buffer_length = strlen("$v_buffer");
if ($buffer_length != $this->buffer_length) {
- $pack_size = ((int)($buffer_length / 512) + 1) * 512;
+ $pack_size = ((int)($buffer_length / 512) + ($buffer_length % 512 !== 0 ? 1 : 0)) * 512;
$pack_format = sprintf('a%d', $pack_size);
} else {
$pack_format = sprintf('a%d', $this->buffer_length);
@@ -1515,8 +1515,13 @@ public function _writeHeaderBlock(
$userinfo = posix_getpwuid($p_uid);
$groupinfo = posix_getgrgid($p_gid);
- $v_uname = $userinfo['name'];
- $v_gname = $groupinfo['name'];
+ if ($userinfo === false || $groupinfo === false) {
+ $v_uname = '';
+ $v_gname = '';
+ } else {
+ $v_uname = $userinfo['name'];
+ $v_gname = $groupinfo['name'];
+ }
} else {
$v_uname = '';
$v_gname = '';
@@ -1725,7 +1730,7 @@ public function _readHeader($v_binary_data, &$v_header)
// ----- Extract the properties
$v_header['filename'] = rtrim($v_data['filename'], "\0");
- if ($this->_maliciousFilename($v_header['filename'])) {
+ if ($this->_isMaliciousFilename($v_header['filename'])) {
$this->_error(
'Malicious .tar detected, file "' . $v_header['filename'] .
'" will not install in desired directory tree'
@@ -1795,9 +1800,9 @@ private function _tarRecToSize($tar_size)
*
* @return bool
*/
- private function _maliciousFilename($file)
+ private function _isMaliciousFilename($file)
{
- if (strpos($file, 'phar://') === 0) {
+ if (strpos($file, '://') !== false) {
return true;
}
if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
@@ -1833,7 +1838,7 @@ public function _readLongHeader(&$v_header)
$v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
$v_header['filename'] = $v_filename;
- if ($this->_maliciousFilename($v_filename)) {
+ if ($this->_isMaliciousFilename($v_filename)) {
$this->_error(
'Malicious .tar detected, file "' . $v_filename .
'" will not install in desired directory tree'
diff --git a/pear/archive_tar/package.xml b/pear/archive_tar/package.xml
index 683493951..6edf4fd10 100644
--- a/pear/archive_tar/package.xml
+++ b/pear/archive_tar/package.xml
@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.
stig@php.net
no
- 2019-12-04
-
+ 2020-11-19
+
- 1.4.9
+ 1.4.11
1.4.0
@@ -44,7 +44,8 @@ Also Lzma2 compressed archives are supported with xz extension.
New BSD License
-* Implement Feature #23861: Add option to disallow symlinks [mrook]
+* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 /
+ CVE-2020-28949) [mrook]
@@ -74,6 +75,37 @@ Also Lzma2 compressed archives are supported with xz extension.
+
+
+ 1.4.10
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2020-09-15
+ New BSD License
+
+ * Fix block padding when the file buffer length is a multiple of 512 and smaller than Archive_Tar buffer length
+ * Don't try to copy username/groupname in chroot jail
+
+
+
+
+ 1.4.9
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2019-12-04
+ New BSD License
+
+* Implement Feature #23861: Add option to disallow symlinks [mrook]
+
+
1.4.8