From b616e15774e27d2cc416764781a50f750c1f8b6c Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 7 Sep 2021 11:16:46 +0200
Subject: [PATCH] [stable22] Bump Archive_Tar

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 composer.lock                                 | 10 ++--
 composer/installed.json                       | 12 ++---
 composer/installed.php                        | 10 ++--
 .../src/PackageVersions/Versions.php          |  4 +-
 pear/archive_tar/Archive/Tar.php              | 50 +++++++++++--------
 pear/archive_tar/package.xml                  | 23 +++++++--
 6 files changed, 66 insertions(+), 43 deletions(-)

diff --git a/composer.lock b/composer.lock
index 6441a1142..e63e8450c 100644
--- a/composer.lock
+++ b/composer.lock
@@ -2277,16 +2277,16 @@
         },
         {
             "name": "pear/archive_tar",
-            "version": "1.4.13",
+            "version": "1.4.14",
             "source": {
                 "type": "git",
                 "url": "https://github.com/pear/Archive_Tar.git",
-                "reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011"
+                "reference": "4d761c5334c790e45ef3245f0864b8955c562caa"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/2b87b41178cc6d4ad3cba678a46a1cae49786011",
-                "reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011",
+                "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/4d761c5334c790e45ef3245f0864b8955c562caa",
+                "reference": "4d761c5334c790e45ef3245f0864b8955c562caa",
                 "shasum": ""
             },
             "require": {
@@ -2353,7 +2353,7 @@
                     "type": "patreon"
                 }
             ],
-            "time": "2021-02-16T10:50:50+00:00"
+            "time": "2021-07-20T13:53:39+00:00"
         },
         {
             "name": "pear/console_getopt",
diff --git a/composer/installed.json b/composer/installed.json
index 90021f823..ff287524a 100644
--- a/composer/installed.json
+++ b/composer/installed.json
@@ -2369,17 +2369,17 @@
         },
         {
             "name": "pear/archive_tar",
-            "version": "1.4.13",
-            "version_normalized": "1.4.13.0",
+            "version": "1.4.14",
+            "version_normalized": "1.4.14.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/pear/Archive_Tar.git",
-                "reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011"
+                "reference": "4d761c5334c790e45ef3245f0864b8955c562caa"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/2b87b41178cc6d4ad3cba678a46a1cae49786011",
-                "reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011",
+                "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/4d761c5334c790e45ef3245f0864b8955c562caa",
+                "reference": "4d761c5334c790e45ef3245f0864b8955c562caa",
                 "shasum": ""
             },
             "require": {
@@ -2394,7 +2394,7 @@
                 "ext-xz": "Lzma2 compression support.",
                 "ext-zlib": "Gzip compression support."
             },
-            "time": "2021-02-16T10:50:50+00:00",
+            "time": "2021-07-20T13:53:39+00:00",
             "type": "library",
             "extra": {
                 "branch-alias": {
diff --git a/composer/installed.php b/composer/installed.php
index d6974a343..83cbaea87 100644
--- a/composer/installed.php
+++ b/composer/installed.php
@@ -5,7 +5,7 @@
         'type' => 'library',
         'install_path' => __DIR__ . '/../',
         'aliases' => array(),
-        'reference' => 'e6a054be58a6c8b2fda92fbc7fbfd898f26fa0d2',
+        'reference' => 'b712fcb86411da2f8547100e28f3e586dee52ead',
         'name' => 'nextcloud/3rdparty',
         'dev' => false,
     ),
@@ -286,7 +286,7 @@
             'type' => 'library',
             'install_path' => __DIR__ . '/../',
             'aliases' => array(),
-            'reference' => 'e6a054be58a6c8b2fda92fbc7fbfd898f26fa0d2',
+            'reference' => 'b712fcb86411da2f8547100e28f3e586dee52ead',
             'dev_requirement' => false,
         ),
         'nextcloud/lognormalizer' => array(
@@ -332,12 +332,12 @@
             'dev_requirement' => false,
         ),
         'pear/archive_tar' => array(
-            'pretty_version' => '1.4.13',
-            'version' => '1.4.13.0',
+            'pretty_version' => '1.4.14',
+            'version' => '1.4.14.0',
             'type' => 'library',
             'install_path' => __DIR__ . '/../pear/archive_tar',
             'aliases' => array(),
-            'reference' => '2b87b41178cc6d4ad3cba678a46a1cae49786011',
+            'reference' => '4d761c5334c790e45ef3245f0864b8955c562caa',
             'dev_requirement' => false,
         ),
         'pear/console_getopt' => array(
diff --git a/composer/package-versions-deprecated/src/PackageVersions/Versions.php b/composer/package-versions-deprecated/src/PackageVersions/Versions.php
index f954bab29..cd4506a0a 100644
--- a/composer/package-versions-deprecated/src/PackageVersions/Versions.php
+++ b/composer/package-versions-deprecated/src/PackageVersions/Versions.php
@@ -67,7 +67,7 @@ final class Versions
   'nikic/php-parser' => 'v4.10.5@4432ba399e47c66624bc73c8c0f811e5c109576f',
   'opis/closure' => '3.6.2@06e2ebd25f2869e54a306dda991f7db58066f7f6',
   'patchwork/jsqueeze' => 'v2.0.5@693d64850eab2ce6a7c8f7cf547e1ab46e69d542',
-  'pear/archive_tar' => '1.4.13@2b87b41178cc6d4ad3cba678a46a1cae49786011',
+  'pear/archive_tar' => '1.4.14@4d761c5334c790e45ef3245f0864b8955c562caa',
   'pear/console_getopt' => 'v1.4.3@a41f8d3e668987609178c7c4a9fe48fecac53fa0',
   'pear/pear-core-minimal' => 'v1.10.10@625a3c429d9b2c1546438679074cac1b089116a7',
   'pear/pear_exception' => 'v1.0.2@b14fbe2ddb0b9f94f5b24cf08783d599f776fff0',
@@ -120,7 +120,7 @@ final class Versions
   'web-auth/cose-lib' => 'v3.3.1@eea6fae63ff5c81bf98c115b1be5f38a69682c16',
   'web-auth/metadata-service' => 'v3.3.1@8488d3a832a38cc81c670fce05de1e515c6e64b1',
   'web-auth/webauthn-lib' => 'v3.3.1@e411527a41c1013512fccdfce61681eb36484c77',
-  'nextcloud/3rdparty' => 'dev-master@e6a054be58a6c8b2fda92fbc7fbfd898f26fa0d2',
+  'nextcloud/3rdparty' => 'dev-master@b712fcb86411da2f8547100e28f3e586dee52ead',
 );
 
     private function __construct()
diff --git a/pear/archive_tar/Archive/Tar.php b/pear/archive_tar/Archive/Tar.php
index a8c9501cc..3356ad6ac 100644
--- a/pear/archive_tar/Archive/Tar.php
+++ b/pear/archive_tar/Archive/Tar.php
@@ -2124,25 +2124,40 @@ public function _extractList(
                             }
                         }
                     } elseif ($v_header['typeflag'] == "2") {
+                        if (!$p_symlinks) {
+                            $this->_warning('Symbolic links are not allowed. '
+                                . 'Unable to extract {'
+                                . $v_header['filename'] . '}'
+                            );
+                            return false;
+                        }
+                        $absolute_link = FALSE;
                         $link_depth = 0;
-                        foreach (explode("/", $v_header['filename']) as $dir) {
-                            if ($dir === "..") {
-                                $link_depth--;
-                            } elseif ($dir !== "" && $dir !== "." ) {
-                                $link_depth++;
-                            }
+                        if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) {
+                          $absolute_link = TRUE;
                         }
-                        foreach (explode("/", $v_header['link']) as $dir){
-                            if ($link_depth <= 0) {
-                                break;
+                        else {
+                            $s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']);
+                            $s_linkname = str_replace('\\', '/', $v_header['link']);
+                            foreach (explode("/", $s_filename) as $dir) {
+                                if ($dir === "..") {
+                                    $link_depth--;
+                                } elseif ($dir !== "" && $dir !== "." ) {
+                                    $link_depth++;
+                                }
                             }
-                            if ($dir === "..") {
-                                $link_depth--;
-                            } elseif ($dir !== "" && $dir !== ".") {
-                                $link_depth++;
+                            foreach (explode("/", $s_linkname) as $dir){
+                                if ($link_depth <= 0) {
+                                    break;
+                                }
+                                if ($dir === "..") {
+                                    $link_depth--;
+                                } elseif ($dir !== "" && $dir !== ".") {
+                                    $link_depth++;
+                                }
                             }
                         }
-                        if (strpos($v_header['link'], "/") === 0 or $link_depth <= 0) {
+                        if ($absolute_link || $link_depth <= 0) {
                             $this->_error(
                                  'Out-of-path file extraction {'
                                  . $v_header['filename'] . ' --> ' .
@@ -2150,13 +2165,6 @@ public function _extractList(
                             );
                             return false;
                         }
-                        if (!$p_symlinks) {
-                            $this->_warning('Symbolic links are not allowed. '
-                                . 'Unable to extract {'
-                                . $v_header['filename'] . '}'
-                            );
-                            return false;
-                        }
                         if (@file_exists($v_header['filename'])) {
                             @unlink($v_header['filename']);
                         }
diff --git a/pear/archive_tar/package.xml b/pear/archive_tar/package.xml
index 8da0d40c9..d4f20bd4b 100644
--- a/pear/archive_tar/package.xml
+++ b/pear/archive_tar/package.xml
@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
   <email>stig@php.net</email>
   <active>no</active>
  </helper>
- <date>2021-02-16</date>
- <time>10:49:28</time>
+ <date>2021-07-20</date>
+ <time>18:00:00</time>
  <version>
-  <release>1.4.13</release>
+  <release>1.4.14</release>
   <api>1.4.0</api>
  </version>
  <stability>
@@ -44,7 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
  </stability>
  <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
  <notes>
-* Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook]
+* Properly fix symbolic link path traversal (CVE-2021-32610)
  </notes>
  <contents>
   <dir name="/">
@@ -74,6 +74,21 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
  </dependencies>
  <phprelease />
  <changelog>
+  <release>
+   <version>
+    <release>1.4.13</release>
+    <api>1.4.0</api>
+   </version>
+   <stability>
+    <release>stable</release>
+    <api>stable</api>
+   </stability>
+   <date>2021-02-16</date>
+   <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
+   <notes>
+    * Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook]
+   </notes>
+  </release>
   <release>
    <version>
     <release>1.4.12</release>