Search for packages
| purl | pkg:deb/debian/php-pear@1:1.10.12%2Bsubmodules%2Bnotgz%2B20210212-1?distro=trixie |
| Next non-vulnerable version | 1:1.10.13+submodules+notgz-1 |
| Latest non-vulnerable version | 1:1.10.16+submodules+notgz-3 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-tk1v-t2e5-jqae
Aliases: CVE-2021-32610 GHSA-p8q8-jfcv-g2h2 |
Improper Link Resolution Before File Access In Archive_Tar, symlinks can refer to targets outside of the extracted archive. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-gbz5-5frj-hber | Multiple vulnerabilities through filename manipulation in Archive_Tar Archive_Tar through 1.4.10 has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed. See: https://github.com/pear/Archive_Tar/issues/33 |
CVE-2020-28949
GHSA-75c5-f4gw-38r9 |
| VCID-kc7d-5k6x-77bp | Directory Traversal in Archive_Tar Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. ### :exclamation: Note: There was an [initial fix](https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916) for this vulnerability made in version `1.4.12`. That fix introduced a bug which was [fixed in 1.4.13](https://github.com/pear/Archive_Tar/pull/36). Therefore we have set the first-patched-version to `1.4.13` which the earliest working version that avoids this vulnerability. |
CVE-2020-36193
GHSA-rpw6-9xfx-jvcx |
| VCID-rdg5-wdyd-xbdm | Deserialization of Untrusted Data There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. |
CVE-2018-1000888
GHSA-3q76-jq6m-573p |
| VCID-v9v6-ae3e-g3hk | Deserialization of Untrusted Data in Archive_Tar Archive_Tar through 1.4.10 allows an unserialization attack because `phar:` is blocked but `PHAR:` is not blocked. See: https://github.com/pear/Archive_Tar/issues/33 |
CVE-2020-28948
GHSA-jh5x-hfhg-78jq |