diff --git a/composer.lock b/composer.lock
index 6441a1142..e63e8450c 100644
--- a/composer.lock
+++ b/composer.lock
@@ -2277,16 +2277,16 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.13",
+ "version": "1.4.14",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011"
+ "reference": "4d761c5334c790e45ef3245f0864b8955c562caa"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/2b87b41178cc6d4ad3cba678a46a1cae49786011",
- "reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/4d761c5334c790e45ef3245f0864b8955c562caa",
+ "reference": "4d761c5334c790e45ef3245f0864b8955c562caa",
"shasum": ""
},
"require": {
@@ -2353,7 +2353,7 @@
"type": "patreon"
}
],
- "time": "2021-02-16T10:50:50+00:00"
+ "time": "2021-07-20T13:53:39+00:00"
},
{
"name": "pear/console_getopt",
diff --git a/composer/installed.json b/composer/installed.json
index 90021f823..ff287524a 100644
--- a/composer/installed.json
+++ b/composer/installed.json
@@ -2369,17 +2369,17 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.13",
- "version_normalized": "1.4.13.0",
+ "version": "1.4.14",
+ "version_normalized": "1.4.14.0",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011"
+ "reference": "4d761c5334c790e45ef3245f0864b8955c562caa"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/2b87b41178cc6d4ad3cba678a46a1cae49786011",
- "reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/4d761c5334c790e45ef3245f0864b8955c562caa",
+ "reference": "4d761c5334c790e45ef3245f0864b8955c562caa",
"shasum": ""
},
"require": {
@@ -2394,7 +2394,7 @@
"ext-xz": "Lzma2 compression support.",
"ext-zlib": "Gzip compression support."
},
- "time": "2021-02-16T10:50:50+00:00",
+ "time": "2021-07-20T13:53:39+00:00",
"type": "library",
"extra": {
"branch-alias": {
diff --git a/composer/installed.php b/composer/installed.php
index d6974a343..83cbaea87 100644
--- a/composer/installed.php
+++ b/composer/installed.php
@@ -5,7 +5,7 @@
'type' => 'library',
'install_path' => __DIR__ . '/../',
'aliases' => array(),
- 'reference' => 'e6a054be58a6c8b2fda92fbc7fbfd898f26fa0d2',
+ 'reference' => 'b712fcb86411da2f8547100e28f3e586dee52ead',
'name' => 'nextcloud/3rdparty',
'dev' => false,
),
@@ -286,7 +286,7 @@
'type' => 'library',
'install_path' => __DIR__ . '/../',
'aliases' => array(),
- 'reference' => 'e6a054be58a6c8b2fda92fbc7fbfd898f26fa0d2',
+ 'reference' => 'b712fcb86411da2f8547100e28f3e586dee52ead',
'dev_requirement' => false,
),
'nextcloud/lognormalizer' => array(
@@ -332,12 +332,12 @@
'dev_requirement' => false,
),
'pear/archive_tar' => array(
- 'pretty_version' => '1.4.13',
- 'version' => '1.4.13.0',
+ 'pretty_version' => '1.4.14',
+ 'version' => '1.4.14.0',
'type' => 'library',
'install_path' => __DIR__ . '/../pear/archive_tar',
'aliases' => array(),
- 'reference' => '2b87b41178cc6d4ad3cba678a46a1cae49786011',
+ 'reference' => '4d761c5334c790e45ef3245f0864b8955c562caa',
'dev_requirement' => false,
),
'pear/console_getopt' => array(
diff --git a/composer/package-versions-deprecated/src/PackageVersions/Versions.php b/composer/package-versions-deprecated/src/PackageVersions/Versions.php
index f954bab29..cd4506a0a 100644
--- a/composer/package-versions-deprecated/src/PackageVersions/Versions.php
+++ b/composer/package-versions-deprecated/src/PackageVersions/Versions.php
@@ -67,7 +67,7 @@ final class Versions
'nikic/php-parser' => 'v4.10.5@4432ba399e47c66624bc73c8c0f811e5c109576f',
'opis/closure' => '3.6.2@06e2ebd25f2869e54a306dda991f7db58066f7f6',
'patchwork/jsqueeze' => 'v2.0.5@693d64850eab2ce6a7c8f7cf547e1ab46e69d542',
- 'pear/archive_tar' => '1.4.13@2b87b41178cc6d4ad3cba678a46a1cae49786011',
+ 'pear/archive_tar' => '1.4.14@4d761c5334c790e45ef3245f0864b8955c562caa',
'pear/console_getopt' => 'v1.4.3@a41f8d3e668987609178c7c4a9fe48fecac53fa0',
'pear/pear-core-minimal' => 'v1.10.10@625a3c429d9b2c1546438679074cac1b089116a7',
'pear/pear_exception' => 'v1.0.2@b14fbe2ddb0b9f94f5b24cf08783d599f776fff0',
@@ -120,7 +120,7 @@ final class Versions
'web-auth/cose-lib' => 'v3.3.1@eea6fae63ff5c81bf98c115b1be5f38a69682c16',
'web-auth/metadata-service' => 'v3.3.1@8488d3a832a38cc81c670fce05de1e515c6e64b1',
'web-auth/webauthn-lib' => 'v3.3.1@e411527a41c1013512fccdfce61681eb36484c77',
- 'nextcloud/3rdparty' => 'dev-master@e6a054be58a6c8b2fda92fbc7fbfd898f26fa0d2',
+ 'nextcloud/3rdparty' => 'dev-master@b712fcb86411da2f8547100e28f3e586dee52ead',
);
private function __construct()
diff --git a/pear/archive_tar/Archive/Tar.php b/pear/archive_tar/Archive/Tar.php
index a8c9501cc..3356ad6ac 100644
--- a/pear/archive_tar/Archive/Tar.php
+++ b/pear/archive_tar/Archive/Tar.php
@@ -2124,25 +2124,40 @@ public function _extractList(
}
}
} elseif ($v_header['typeflag'] == "2") {
+ if (!$p_symlinks) {
+ $this->_warning('Symbolic links are not allowed. '
+ . 'Unable to extract {'
+ . $v_header['filename'] . '}'
+ );
+ return false;
+ }
+ $absolute_link = FALSE;
$link_depth = 0;
- foreach (explode("/", $v_header['filename']) as $dir) {
- if ($dir === "..") {
- $link_depth--;
- } elseif ($dir !== "" && $dir !== "." ) {
- $link_depth++;
- }
+ if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) {
+ $absolute_link = TRUE;
}
- foreach (explode("/", $v_header['link']) as $dir){
- if ($link_depth <= 0) {
- break;
+ else {
+ $s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']);
+ $s_linkname = str_replace('\\', '/', $v_header['link']);
+ foreach (explode("/", $s_filename) as $dir) {
+ if ($dir === "..") {
+ $link_depth--;
+ } elseif ($dir !== "" && $dir !== "." ) {
+ $link_depth++;
+ }
}
- if ($dir === "..") {
- $link_depth--;
- } elseif ($dir !== "" && $dir !== ".") {
- $link_depth++;
+ foreach (explode("/", $s_linkname) as $dir){
+ if ($link_depth <= 0) {
+ break;
+ }
+ if ($dir === "..") {
+ $link_depth--;
+ } elseif ($dir !== "" && $dir !== ".") {
+ $link_depth++;
+ }
}
}
- if (strpos($v_header['link'], "/") === 0 or $link_depth <= 0) {
+ if ($absolute_link || $link_depth <= 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
@@ -2150,13 +2165,6 @@ public function _extractList(
);
return false;
}
- if (!$p_symlinks) {
- $this->_warning('Symbolic links are not allowed. '
- . 'Unable to extract {'
- . $v_header['filename'] . '}'
- );
- return false;
- }
if (@file_exists($v_header['filename'])) {
@unlink($v_header['filename']);
}
diff --git a/pear/archive_tar/package.xml b/pear/archive_tar/package.xml
index 8da0d40c9..d4f20bd4b 100644
--- a/pear/archive_tar/package.xml
+++ b/pear/archive_tar/package.xml
@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.
stig@php.net
no
- 2021-02-16
-
+ 2021-07-20
+
- 1.4.13
+ 1.4.14
1.4.0
@@ -44,7 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.
New BSD License
-* Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook]
+* Properly fix symbolic link path traversal (CVE-2021-32610)
@@ -74,6 +74,21 @@ Also Lzma2 compressed archives are supported with xz extension.
+
+
+ 1.4.13
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2021-02-16
+ New BSD License
+
+ * Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook]
+
+
1.4.12