diff --git a/composer.lock b/composer.lock
index 3f44d5e61..5be7990a7 100644
--- a/composer.lock
+++ b/composer.lock
@@ -2023,16 +2023,16 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.9",
+ "version": "1.4.11",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0"
+ "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/c5b00053770e1d72128252c62c2c1a12c26639f0",
- "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
+ "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
"shasum": ""
},
"require": {
@@ -2085,7 +2085,11 @@
"archive",
"tar"
],
- "time": "2019-12-04T10:17:28+00:00"
+ "support": {
+ "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=Archive_Tar",
+ "source": "https://github.com/pear/Archive_Tar"
+ },
+ "time": "2020-11-19T22:10:24+00:00"
},
{
"name": "pear/console_getopt",
@@ -2132,6 +2136,10 @@
}
],
"description": "More info available on: http://pear.php.net/package/Console_Getopt",
+ "support": {
+ "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=Console_Getopt",
+ "source": "https://github.com/pear/Console_Getopt"
+ },
"time": "2019-11-20T18:27:48+00:00"
},
{
@@ -2176,6 +2184,10 @@
}
],
"description": "Minimal set of PEAR core files to be used as composer dependency",
+ "support": {
+ "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR",
+ "source": "https://github.com/pear/pear-core-minimal"
+ },
"time": "2019-11-19T19:00:24+00:00"
},
{
@@ -2231,6 +2243,10 @@
"keywords": [
"exception"
],
+ "support": {
+ "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR_Exception",
+ "source": "https://github.com/pear/PEAR_Exception"
+ },
"time": "2019-12-10T10:24:42+00:00"
},
{
diff --git a/composer/InstalledVersions.php b/composer/InstalledVersions.php
index 4ed5f7fc3..cb56b0e9e 100644
--- a/composer/InstalledVersions.php
+++ b/composer/InstalledVersions.php
@@ -29,7 +29,7 @@ class InstalledVersions
'aliases' =>
array (
),
- 'reference' => '1c9341631508ff217c3ebec6b64a97eb1137248c',
+ 'reference' => '979e31884be0e3cdc282ed1f05833e9383633a3b',
'name' => 'nextcloud/3rdparty',
),
'versions' =>
@@ -284,7 +284,7 @@ class InstalledVersions
'aliases' =>
array (
),
- 'reference' => '1c9341631508ff217c3ebec6b64a97eb1137248c',
+ 'reference' => '979e31884be0e3cdc282ed1f05833e9383633a3b',
),
'nextcloud/lognormalizer' =>
array (
@@ -342,12 +342,12 @@ class InstalledVersions
),
'pear/archive_tar' =>
array (
- 'pretty_version' => '1.4.9',
- 'version' => '1.4.9.0',
+ 'pretty_version' => '1.4.11',
+ 'version' => '1.4.11.0',
'aliases' =>
array (
),
- 'reference' => 'c5b00053770e1d72128252c62c2c1a12c26639f0',
+ 'reference' => '17d355cb7d3c4ff08e5729f29cd7660145208d9d',
),
'pear/console_getopt' =>
array (
diff --git a/composer/installed.json b/composer/installed.json
index 833b87357..c90b30fd9 100644
--- a/composer/installed.json
+++ b/composer/installed.json
@@ -2116,17 +2116,17 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.9",
- "version_normalized": "1.4.9.0",
+ "version": "1.4.11",
+ "version_normalized": "1.4.11.0",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0"
+ "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/c5b00053770e1d72128252c62c2c1a12c26639f0",
- "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
+ "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
"shasum": ""
},
"require": {
@@ -2141,7 +2141,7 @@
"ext-xz": "Lzma2 compression support.",
"ext-zlib": "Gzip compression support."
},
- "time": "2019-12-04T10:17:28+00:00",
+ "time": "2020-11-19T22:10:24+00:00",
"type": "library",
"extra": {
"branch-alias": {
@@ -2181,6 +2181,10 @@
"archive",
"tar"
],
+ "support": {
+ "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=Archive_Tar",
+ "source": "https://github.com/pear/Archive_Tar"
+ },
"install-path": "../pear/archive_tar"
},
{
diff --git a/composer/installed.php b/composer/installed.php
index 5e2bdc1b1..28b38109b 100644
--- a/composer/installed.php
+++ b/composer/installed.php
@@ -6,7 +6,7 @@
'aliases' =>
array (
),
- 'reference' => '1c9341631508ff217c3ebec6b64a97eb1137248c',
+ 'reference' => '979e31884be0e3cdc282ed1f05833e9383633a3b',
'name' => 'nextcloud/3rdparty',
),
'versions' =>
@@ -261,7 +261,7 @@
'aliases' =>
array (
),
- 'reference' => '1c9341631508ff217c3ebec6b64a97eb1137248c',
+ 'reference' => '979e31884be0e3cdc282ed1f05833e9383633a3b',
),
'nextcloud/lognormalizer' =>
array (
@@ -319,12 +319,12 @@
),
'pear/archive_tar' =>
array (
- 'pretty_version' => '1.4.9',
- 'version' => '1.4.9.0',
+ 'pretty_version' => '1.4.11',
+ 'version' => '1.4.11.0',
'aliases' =>
array (
),
- 'reference' => 'c5b00053770e1d72128252c62c2c1a12c26639f0',
+ 'reference' => '17d355cb7d3c4ff08e5729f29cd7660145208d9d',
),
'pear/console_getopt' =>
array (
diff --git a/pear/archive_tar/.gitignore b/pear/archive_tar/.gitignore
index c32ccd7cc..c703991e8 100644
--- a/pear/archive_tar/.gitignore
+++ b/pear/archive_tar/.gitignore
@@ -8,3 +8,8 @@ vendor
.buildpath
.project
.settings
+# pear
+.tarballs
+*.tgz
+# phpunit
+build
diff --git a/pear/archive_tar/Archive/Tar.php b/pear/archive_tar/Archive/Tar.php
index 2f328c227..92710741c 100644
--- a/pear/archive_tar/Archive/Tar.php
+++ b/pear/archive_tar/Archive/Tar.php
@@ -731,7 +731,7 @@ public function setIgnoreRegexp($regexp)
*/
public function setIgnoreList($list)
{
- $regexp = str_replace(array('#', '.', '^', '$'), array('\#', '\.', '\^', '\$'), $list);
+ $list = str_replace(array('#', '.', '^', '$'), array('\#', '\.', '\^', '\$'), $list);
$regexp = '#/' . join('$|/', $list) . '#';
$this->setIgnoreRegexp($regexp);
}
@@ -1273,7 +1273,7 @@ public function _addFile($p_filename, &$p_header, $p_add_dir, $p_remove_dir, $v_
while (($v_buffer = fread($v_file, $this->buffer_length)) != '') {
$buffer_length = strlen("$v_buffer");
if ($buffer_length != $this->buffer_length) {
- $pack_size = ((int)($buffer_length / 512) + 1) * 512;
+ $pack_size = ((int)($buffer_length / 512) + ($buffer_length % 512 !== 0 ? 1 : 0)) * 512;
$pack_format = sprintf('a%d', $pack_size);
} else {
$pack_format = sprintf('a%d', $this->buffer_length);
@@ -1515,8 +1515,13 @@ public function _writeHeaderBlock(
$userinfo = posix_getpwuid($p_uid);
$groupinfo = posix_getgrgid($p_gid);
- $v_uname = $userinfo['name'];
- $v_gname = $groupinfo['name'];
+ if ($userinfo === false || $groupinfo === false) {
+ $v_uname = '';
+ $v_gname = '';
+ } else {
+ $v_uname = $userinfo['name'];
+ $v_gname = $groupinfo['name'];
+ }
} else {
$v_uname = '';
$v_gname = '';
@@ -1725,7 +1730,7 @@ public function _readHeader($v_binary_data, &$v_header)
// ----- Extract the properties
$v_header['filename'] = rtrim($v_data['filename'], "\0");
- if ($this->_maliciousFilename($v_header['filename'])) {
+ if ($this->_isMaliciousFilename($v_header['filename'])) {
$this->_error(
'Malicious .tar detected, file "' . $v_header['filename'] .
'" will not install in desired directory tree'
@@ -1795,9 +1800,9 @@ private function _tarRecToSize($tar_size)
*
* @return bool
*/
- private function _maliciousFilename($file)
+ private function _isMaliciousFilename($file)
{
- if (strpos($file, 'phar://') === 0) {
+ if (strpos($file, '://') !== false) {
return true;
}
if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
@@ -1833,7 +1838,7 @@ public function _readLongHeader(&$v_header)
$v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
$v_header['filename'] = $v_filename;
- if ($this->_maliciousFilename($v_filename)) {
+ if ($this->_isMaliciousFilename($v_filename)) {
$this->_error(
'Malicious .tar detected, file "' . $v_filename .
'" will not install in desired directory tree'
diff --git a/pear/archive_tar/package.xml b/pear/archive_tar/package.xml
index 683493951..6edf4fd10 100644
--- a/pear/archive_tar/package.xml
+++ b/pear/archive_tar/package.xml
@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.
stig@php.net
no
- 2019-12-04
-
+ 2020-11-19
+
- 1.4.9
+ 1.4.11
1.4.0
@@ -44,7 +44,8 @@ Also Lzma2 compressed archives are supported with xz extension.
New BSD License
-* Implement Feature #23861: Add option to disallow symlinks [mrook]
+* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 /
+ CVE-2020-28949) [mrook]
@@ -74,6 +75,37 @@ Also Lzma2 compressed archives are supported with xz extension.
+
+
+ 1.4.10
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2020-09-15
+ New BSD License
+
+ * Fix block padding when the file buffer length is a multiple of 512 and smaller than Archive_Tar buffer length
+ * Don't try to copy username/groupname in chroot jail
+
+
+
+
+ 1.4.9
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2019-12-04
+ New BSD License
+
+* Implement Feature #23861: Add option to disallow symlinks [mrook]
+
+
1.4.8