Skip to content

Commit

Permalink
Merge pull request #601 from nextcloud/dependabot/composer/pear/archi…
Browse files Browse the repository at this point in the history 
…ve_tar-1.4.12

[Security] Bump pear/archive_tar from 1.4.11 to 1.4.12
  • Loading branch information
@ChristophWurst
ChristophWurst committed Jan 19, 2021
2 parents 3317acf + 099e537 commit 08d4d2a
Show file tree
Hide file tree
Showing 7 changed files with 80 additions and 34 deletions.
20 changes: 15 additions & 5 deletions composer.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 5 additions & 5 deletions composer/InstalledVersions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ class InstalledVersions
'aliases' =>
array (
),
'reference' => '263574371f59d50a62558ac9a3adeb2acf3f5025',
'reference' => 'a9db460535cf4f02e8004ccd22fefffe2a11026e',
'name' => 'nextcloud/3rdparty',
),
'versions' =>
Expand Down Expand Up @@ -302,7 +302,7 @@ class InstalledVersions
'aliases' =>
array (
),
'reference' => '263574371f59d50a62558ac9a3adeb2acf3f5025',
'reference' => 'a9db460535cf4f02e8004ccd22fefffe2a11026e',
),
'nextcloud/lognormalizer' =>
array (
Expand Down Expand Up @@ -349,12 +349,12 @@ class InstalledVersions
),
'pear/archive_tar' =>
array (
'pretty_version' => '1.4.11',
'version' => '1.4.11.0',
'pretty_version' => '1.4.12',
'version' => '1.4.12.0',
'aliases' =>
array (
),
'reference' => '17d355cb7d3c4ff08e5729f29cd7660145208d9d',
'reference' => '19bb8e95490d3e3ad92fcac95500ca80bdcc7495',
),
'pear/console_getopt' =>
array (
Expand Down
22 changes: 16 additions & 6 deletions composer/installed.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2274,17 +2274,17 @@
},
{
"name": "pear/archive_tar",
"version": "1.4.11",
"version_normalized": "1.4.11.0",
"version": "1.4.12",
"version_normalized": "1.4.12.0",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
"reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
"reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
"reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
"url": "https://api.github.com/repos/pear/Archive_Tar/zipball/19bb8e95490d3e3ad92fcac95500ca80bdcc7495",
"reference": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495",
"shasum": ""
},
"require": {
Expand All @@ -2299,7 +2299,7 @@
"ext-xz": "Lzma2 compression support.",
"ext-zlib": "Gzip compression support."
},
"time": "2020-11-19T22:10:24+00:00",
"time": "2021-01-18T19:32:54+00:00",
"type": "library",
"extra": {
"branch-alias": {
Expand Down Expand Up @@ -2343,6 +2343,16 @@
"issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=Archive_Tar",
"source": "https://github.com/pear/Archive_Tar"
},
"funding": [
{
"url": "https://github.com/mrook",
"type": "github"
},
{
"url": "https://www.patreon.com/michielrook",
"type": "patreon"
}
],
"install-path": "../pear/archive_tar"
},
{
Expand Down
10 changes: 5 additions & 5 deletions composer/installed.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
'aliases' =>
array (
),
'reference' => '263574371f59d50a62558ac9a3adeb2acf3f5025',
'reference' => 'a9db460535cf4f02e8004ccd22fefffe2a11026e',
'name' => 'nextcloud/3rdparty',
),
'versions' =>
Expand Down Expand Up @@ -279,7 +279,7 @@
'aliases' =>
array (
),
'reference' => '263574371f59d50a62558ac9a3adeb2acf3f5025',
'reference' => 'a9db460535cf4f02e8004ccd22fefffe2a11026e',
),
'nextcloud/lognormalizer' =>
array (
Expand Down Expand Up @@ -326,12 +326,12 @@
),
'pear/archive_tar' =>
array (
'pretty_version' => '1.4.11',
'version' => '1.4.11.0',
'pretty_version' => '1.4.12',
'version' => '1.4.12.0',
'aliases' =>
array (
),
'reference' => '17d355cb7d3c4ff08e5729f29cd7660145208d9d',
'reference' => '19bb8e95490d3e3ad92fcac95500ca80bdcc7495',
),
'pear/console_getopt' =>
array (
Expand Down
4 changes: 2 additions & 2 deletions composer/package-versions-deprecated/src/PackageVersions/Versions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ final class Versions
'nikic/php-parser' => 'v4.10.4@c6d052fc58cb876152f89f532b95a8d7907e7f0e',
'opis/closure' => '3.6.1@943b5d70cc5ae7483f6aff6ff43d7e34592ca0f5',
'patchwork/jsqueeze' => 'v2.0.5@693d64850eab2ce6a7c8f7cf547e1ab46e69d542',
'pear/archive_tar' => '1.4.11@17d355cb7d3c4ff08e5729f29cd7660145208d9d',
'pear/archive_tar' => '1.4.12@19bb8e95490d3e3ad92fcac95500ca80bdcc7495',
'pear/console_getopt' => 'v1.4.3@a41f8d3e668987609178c7c4a9fe48fecac53fa0',
'pear/pear-core-minimal' => 'v1.10.10@625a3c429d9b2c1546438679074cac1b089116a7',
'pear/pear_exception' => 'v1.0.1@dbb42a5a0e45f3adcf99babfb2a1ba77b8ac36a7',
Expand Down Expand Up @@ -118,7 +118,7 @@ final class Versions
'web-auth/cose-lib' => 'v3.3.1@eea6fae63ff5c81bf98c115b1be5f38a69682c16',
'web-auth/metadata-service' => 'v3.3.1@8488d3a832a38cc81c670fce05de1e515c6e64b1',
'web-auth/webauthn-lib' => 'v3.3.1@e411527a41c1013512fccdfce61681eb36484c77',
'nextcloud/3rdparty' => 'dev-master@263574371f59d50a62558ac9a3adeb2acf3f5025',
'nextcloud/3rdparty' => 'dev-master@a9db460535cf4f02e8004ccd22fefffe2a11026e',
);

private function __construct()
Expand Down
22 changes: 17 additions & 5 deletions pear/archive_tar/Archive/Tar.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1397,16 +1397,20 @@ public function _writeHeader($p_filename, $p_stored_filename)

$v_magic = 'ustar ';
$v_version = ' ';
$v_uname = '';
$v_gname = '';

if (function_exists('posix_getpwuid')) {
$userinfo = posix_getpwuid($v_info[4]);
$groupinfo = posix_getgrgid($v_info[5]);

$v_uname = $userinfo['name'];
$v_gname = $groupinfo['name'];
} else {
$v_uname = '';
$v_gname = '';
if (isset($userinfo['name'])) {
$v_uname = $userinfo['name'];
}

if (isset($groupinfo['name'])) {
$v_gname = $groupinfo['name'];
}
}

$v_devmajor = '';
Expand Down Expand Up @@ -2120,6 +2124,14 @@ public function _extractList(
}
}
} elseif ($v_header['typeflag'] == "2") {
if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
$v_header['link'] . '}'
);
return false;
}
if (!$p_symlinks) {
$this->_warning('Symbolic links are not allowed. '
. 'Unable to extract {'
Expand Down
26 changes: 20 additions & 6 deletions pear/archive_tar/package.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
<email>stig@php.net</email>
<active>no</active>
</helper>
<date>2020-11-19</date>
<time>22:06:48</time>
<date>2021-01-18</date>
<time>19:29:56</time>
<version>
<release>1.4.11</release>
<release>1.4.12</release>
<api>1.4.0</api>
</version>
<stability>
Expand All @@ -44,8 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
</stability>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 /
CVE-2020-28949) [mrook]
* Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook]
</notes>
<contents>
<dir name="/">
Expand Down Expand Up @@ -75,7 +74,22 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
</dependencies>
<phprelease />
<changelog>
<release>
<release>
<version>
<release>1.4.11</release>
<api>1.4.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<date>2020-11-19</date>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 / CVE-2020-28949) [mrook]
</notes>
</release>
<release>
<version>
<release>1.4.10</release>
<api>1.4.0</api>
Expand Down

0 comments on commit 08d4d2a

Please sign in to comment.