Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Bump pear/archive_tar from 1.4.9 to 1.4.11 #535

Merged
merged 1 commit into from
Dec 30, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 21 additions & 5 deletions composer.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 9 additions & 9 deletions composer/InstalledVersions.php
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,12 @@ class InstalledVersions
private static $installed = array (
'root' =>
array (
'pretty_version' => 'dev-master',
'version' => 'dev-master',
'pretty_version' => 'v21.0.0beta4',
'version' => '21.0.0.0-beta4',
'aliases' =>
array (
),
'reference' => 'b5b70263cc7626a8422445ba908d5bb81c50f524',
'reference' => 'fbe551895d32ce5b1f0323be79044c6af755c666',
'name' => 'nextcloud/3rdparty',
),
'versions' =>
Expand Down Expand Up @@ -279,12 +279,12 @@ class InstalledVersions
),
'nextcloud/3rdparty' =>
array (
'pretty_version' => 'dev-master',
'version' => 'dev-master',
'pretty_version' => 'v21.0.0beta4',
'version' => '21.0.0.0-beta4',
'aliases' =>
array (
),
'reference' => 'b5b70263cc7626a8422445ba908d5bb81c50f524',
'reference' => 'fbe551895d32ce5b1f0323be79044c6af755c666',
),
'nextcloud/lognormalizer' =>
array (
Expand Down Expand Up @@ -342,12 +342,12 @@ class InstalledVersions
),
'pear/archive_tar' =>
array (
'pretty_version' => '1.4.9',
'version' => '1.4.9.0',
'pretty_version' => '1.4.11',
'version' => '1.4.11.0',
'aliases' =>
array (
),
'reference' => 'c5b00053770e1d72128252c62c2c1a12c26639f0',
'reference' => '17d355cb7d3c4ff08e5729f29cd7660145208d9d',
),
'pear/console_getopt' =>
array (
Expand Down
16 changes: 10 additions & 6 deletions composer/installed.json
Original file line number Diff line number Diff line change
Expand Up @@ -2160,17 +2160,17 @@
},
{
"name": "pear/archive_tar",
"version": "1.4.9",
"version_normalized": "1.4.9.0",
"version": "1.4.11",
"version_normalized": "1.4.11.0",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
"reference": "c5b00053770e1d72128252c62c2c1a12c26639f0"
"reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/pear/Archive_Tar/zipball/c5b00053770e1d72128252c62c2c1a12c26639f0",
"reference": "c5b00053770e1d72128252c62c2c1a12c26639f0",
"url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
"reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
"shasum": ""
},
"require": {
Expand All @@ -2185,7 +2185,7 @@
"ext-xz": "Lzma2 compression support.",
"ext-zlib": "Gzip compression support."
},
"time": "2019-12-04T10:17:28+00:00",
"time": "2020-11-19T22:10:24+00:00",
"type": "library",
"extra": {
"branch-alias": {
Expand Down Expand Up @@ -2225,6 +2225,10 @@
"archive",
"tar"
],
"support": {
"issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=Archive_Tar",
"source": "https://github.com/pear/Archive_Tar"
},
"install-path": "../pear/archive_tar"
},
{
Expand Down
18 changes: 9 additions & 9 deletions composer/installed.php
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
<?php return array (
'root' =>
array (
'pretty_version' => 'dev-master',
'version' => 'dev-master',
'pretty_version' => 'v21.0.0beta4',
'version' => '21.0.0.0-beta4',
'aliases' =>
array (
),
'reference' => 'b5b70263cc7626a8422445ba908d5bb81c50f524',
'reference' => 'fbe551895d32ce5b1f0323be79044c6af755c666',
'name' => 'nextcloud/3rdparty',
),
'versions' =>
Expand Down Expand Up @@ -256,12 +256,12 @@
),
'nextcloud/3rdparty' =>
array (
'pretty_version' => 'dev-master',
'version' => 'dev-master',
'pretty_version' => 'v21.0.0beta4',
'version' => '21.0.0.0-beta4',
'aliases' =>
array (
),
'reference' => 'b5b70263cc7626a8422445ba908d5bb81c50f524',
'reference' => 'fbe551895d32ce5b1f0323be79044c6af755c666',
),
'nextcloud/lognormalizer' =>
array (
Expand Down Expand Up @@ -319,12 +319,12 @@
),
'pear/archive_tar' =>
array (
'pretty_version' => '1.4.9',
'version' => '1.4.9.0',
'pretty_version' => '1.4.11',
'version' => '1.4.11.0',
'aliases' =>
array (
),
'reference' => 'c5b00053770e1d72128252c62c2c1a12c26639f0',
'reference' => '17d355cb7d3c4ff08e5729f29cd7660145208d9d',
),
'pear/console_getopt' =>
array (
Expand Down
5 changes: 5 additions & 0 deletions pear/archive_tar/.gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,8 @@ vendor
.buildpath
.project
.settings
# pear
.tarballs
*.tgz
# phpunit
build
21 changes: 13 additions & 8 deletions pear/archive_tar/Archive/Tar.php
Original file line number Diff line number Diff line change
Expand Up @@ -731,7 +731,7 @@ public function setIgnoreRegexp($regexp)
*/
public function setIgnoreList($list)
{
$regexp = str_replace(array('#', '.', '^', '$'), array('\#', '\.', '\^', '\$'), $list);
$list = str_replace(array('#', '.', '^', '$'), array('\#', '\.', '\^', '\$'), $list);
$regexp = '#/' . join('$|/', $list) . '#';
$this->setIgnoreRegexp($regexp);
}
Expand Down Expand Up @@ -1273,7 +1273,7 @@ public function _addFile($p_filename, &$p_header, $p_add_dir, $p_remove_dir, $v_
while (($v_buffer = fread($v_file, $this->buffer_length)) != '') {
$buffer_length = strlen("$v_buffer");
if ($buffer_length != $this->buffer_length) {
$pack_size = ((int)($buffer_length / 512) + 1) * 512;
$pack_size = ((int)($buffer_length / 512) + ($buffer_length % 512 !== 0 ? 1 : 0)) * 512;
$pack_format = sprintf('a%d', $pack_size);
} else {
$pack_format = sprintf('a%d', $this->buffer_length);
Expand Down Expand Up @@ -1515,8 +1515,13 @@ public function _writeHeaderBlock(
$userinfo = posix_getpwuid($p_uid);
$groupinfo = posix_getgrgid($p_gid);

$v_uname = $userinfo['name'];
$v_gname = $groupinfo['name'];
if ($userinfo === false || $groupinfo === false) {
$v_uname = '';
$v_gname = '';
} else {
$v_uname = $userinfo['name'];
$v_gname = $groupinfo['name'];
}
} else {
$v_uname = '';
$v_gname = '';
Expand Down Expand Up @@ -1725,7 +1730,7 @@ public function _readHeader($v_binary_data, &$v_header)

// ----- Extract the properties
$v_header['filename'] = rtrim($v_data['filename'], "\0");
if ($this->_maliciousFilename($v_header['filename'])) {
if ($this->_isMaliciousFilename($v_header['filename'])) {
$this->_error(
'Malicious .tar detected, file "' . $v_header['filename'] .
'" will not install in desired directory tree'
Expand Down Expand Up @@ -1795,9 +1800,9 @@ private function _tarRecToSize($tar_size)
*
* @return bool
*/
private function _maliciousFilename($file)
private function _isMaliciousFilename($file)
{
if (strpos($file, 'phar://') === 0) {
if (strpos($file, '://') !== false) {
return true;
}
if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
Expand Down Expand Up @@ -1833,7 +1838,7 @@ public function _readLongHeader(&$v_header)

$v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
$v_header['filename'] = $v_filename;
if ($this->_maliciousFilename($v_filename)) {
if ($this->_isMaliciousFilename($v_filename)) {
$this->_error(
'Malicious .tar detected, file "' . $v_filename .
'" will not install in desired directory tree'
Expand Down
40 changes: 36 additions & 4 deletions pear/archive_tar/package.xml
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
<email>stig@php.net</email>
<active>no</active>
</helper>
<date>2019-12-04</date>
<time>09:25:16</time>
<date>2020-11-19</date>
<time>22:06:48</time>
<version>
<release>1.4.9</release>
<release>1.4.11</release>
<api>1.4.0</api>
</version>
<stability>
Expand All @@ -44,7 +44,8 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
</stability>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Implement Feature #23861: Add option to disallow symlinks [mrook]
* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 /
CVE-2020-28949) [mrook]
</notes>
<contents>
<dir name="/">
Expand Down Expand Up @@ -74,6 +75,37 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
</dependencies>
<phprelease />
<changelog>
<release>
<version>
<release>1.4.10</release>
<api>1.4.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<date>2020-09-15</date>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix block padding when the file buffer length is a multiple of 512 and smaller than Archive_Tar buffer length
* Don&apos;t try to copy username/groupname in chroot jail
</notes>
</release>
<release>
<version>
<release>1.4.9</release>
<api>1.4.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<date>2019-12-04</date>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Implement Feature #23861: Add option to disallow symlinks [mrook]
</notes>
</release>
<release>
<version>
<release>1.4.8</release>
Expand Down