Merge pull request #535 from nextcloud/dependabot/composer/pear/archi…

…ve_tar-1.4.11

[Security] Bump pear/archive_tar from 1.4.9 to 1.4.11

composer/InstalledVersions.php

@@ -24,12 +24,12 @@ class InstalledVersions
 private static $installed = array (
   'root' => 
   array (
-    'pretty_version' => 'dev-master',
-    'version' => 'dev-master',
+    'pretty_version' => 'v21.0.0beta4',
+    'version' => '21.0.0.0-beta4',
     'aliases' => 
     array (
     ),
-    'reference' => 'b5b70263cc7626a8422445ba908d5bb81c50f524',
+    'reference' => 'fbe551895d32ce5b1f0323be79044c6af755c666',
     'name' => 'nextcloud/3rdparty',
   ),
   'versions' => 
@@ -279,12 +279,12 @@ class InstalledVersions
     ),
     'nextcloud/3rdparty' => 
     array (
-      'pretty_version' => 'dev-master',
-      'version' => 'dev-master',
+      'pretty_version' => 'v21.0.0beta4',
+      'version' => '21.0.0.0-beta4',
       'aliases' => 
       array (
       ),
-      'reference' => 'b5b70263cc7626a8422445ba908d5bb81c50f524',
+      'reference' => 'fbe551895d32ce5b1f0323be79044c6af755c666',
     ),
     'nextcloud/lognormalizer' => 
     array (
@@ -342,12 +342,12 @@ class InstalledVersions
     ),
     'pear/archive_tar' => 
     array (
-      'pretty_version' => '1.4.9',
-      'version' => '1.4.9.0',
+      'pretty_version' => '1.4.11',
+      'version' => '1.4.11.0',
       'aliases' => 
       array (
       ),
-      'reference' => 'c5b00053770e1d72128252c62c2c1a12c26639f0',
+      'reference' => '17d355cb7d3c4ff08e5729f29cd7660145208d9d',
     ),
     'pear/console_getopt' => 
     array (

composer/installed.json

@@ -2160,17 +2160,17 @@
         },
         {
             "name": "pear/archive_tar",
-            "version": "1.4.9",
-            "version_normalized": "1.4.9.0",
+            "version": "1.4.11",
+            "version_normalized": "1.4.11.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/pear/Archive_Tar.git",
-                "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0"
+                "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/c5b00053770e1d72128252c62c2c1a12c26639f0",
-                "reference": "c5b00053770e1d72128252c62c2c1a12c26639f0",
+                "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/17d355cb7d3c4ff08e5729f29cd7660145208d9d",
+                "reference": "17d355cb7d3c4ff08e5729f29cd7660145208d9d",
                 "shasum": ""
             },
             "require": {
@@ -2185,7 +2185,7 @@
                 "ext-xz": "Lzma2 compression support.",
                 "ext-zlib": "Gzip compression support."
             },
-            "time": "2019-12-04T10:17:28+00:00",
+            "time": "2020-11-19T22:10:24+00:00",
             "type": "library",
             "extra": {
                 "branch-alias": {
@@ -2225,6 +2225,10 @@
                 "archive",
                 "tar"
             ],
+            "support": {
+                "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=Archive_Tar",
+                "source": "https://github.com/pear/Archive_Tar"
+            },
             "install-path": "../pear/archive_tar"
         },
         {

composer/installed.php

@@ -1,12 +1,12 @@
 <?php return array (
   'root' => 
   array (
-    'pretty_version' => 'dev-master',
-    'version' => 'dev-master',
+    'pretty_version' => 'v21.0.0beta4',
+    'version' => '21.0.0.0-beta4',
     'aliases' => 
     array (
     ),
-    'reference' => 'b5b70263cc7626a8422445ba908d5bb81c50f524',
+    'reference' => 'fbe551895d32ce5b1f0323be79044c6af755c666',
     'name' => 'nextcloud/3rdparty',
   ),
   'versions' => 
@@ -256,12 +256,12 @@
     ),
     'nextcloud/3rdparty' => 
     array (
-      'pretty_version' => 'dev-master',
-      'version' => 'dev-master',
+      'pretty_version' => 'v21.0.0beta4',
+      'version' => '21.0.0.0-beta4',
       'aliases' => 
       array (
       ),
-      'reference' => 'b5b70263cc7626a8422445ba908d5bb81c50f524',
+      'reference' => 'fbe551895d32ce5b1f0323be79044c6af755c666',
     ),
     'nextcloud/lognormalizer' => 
     array (
@@ -319,12 +319,12 @@
     ),
     'pear/archive_tar' => 
     array (
-      'pretty_version' => '1.4.9',
-      'version' => '1.4.9.0',
+      'pretty_version' => '1.4.11',
+      'version' => '1.4.11.0',
       'aliases' => 
       array (
       ),
-      'reference' => 'c5b00053770e1d72128252c62c2c1a12c26639f0',
+      'reference' => '17d355cb7d3c4ff08e5729f29cd7660145208d9d',
     ),
     'pear/console_getopt' => 
     array (

pear/archive_tar/.gitignore

@@ -8,3 +8,8 @@ vendor
 .buildpath
 .project
 .settings
+# pear
+.tarballs
+*.tgz
+# phpunit
+build

pear/archive_tar/Archive/Tar.php

@@ -731,7 +731,7 @@ public function setIgnoreRegexp($regexp)
      */
     public function setIgnoreList($list)
     {
-        $regexp = str_replace(array('#', '.', '^', '$'), array('\#', '\.', '\^', '\$'), $list);
+        $list = str_replace(array('#', '.', '^', '$'), array('\#', '\.', '\^', '\$'), $list);
         $regexp = '#/' . join('$|/', $list) . '#';
         $this->setIgnoreRegexp($regexp);
     }
@@ -1273,7 +1273,7 @@ public function _addFile($p_filename, &$p_header, $p_add_dir, $p_remove_dir, $v_
             while (($v_buffer = fread($v_file, $this->buffer_length)) != '') {
                 $buffer_length = strlen("$v_buffer");
                 if ($buffer_length != $this->buffer_length) {
-                    $pack_size = ((int)($buffer_length / 512) + 1) * 512;
+                    $pack_size = ((int)($buffer_length / 512) + ($buffer_length % 512 !== 0 ? 1 : 0)) * 512;
                     $pack_format = sprintf('a%d', $pack_size);
                 } else {
                     $pack_format = sprintf('a%d', $this->buffer_length);
@@ -1515,8 +1515,13 @@ public function _writeHeaderBlock(
             $userinfo = posix_getpwuid($p_uid);
             $groupinfo = posix_getgrgid($p_gid);
 
-            $v_uname = $userinfo['name'];
-            $v_gname = $groupinfo['name'];
+            if ($userinfo === false || $groupinfo === false) {
+                $v_uname = '';
+                $v_gname = '';
+            } else {
+                $v_uname = $userinfo['name'];
+                $v_gname = $groupinfo['name'];
+            }
         } else {
             $v_uname = '';
             $v_gname = '';
@@ -1725,7 +1730,7 @@ public function _readHeader($v_binary_data, &$v_header)
 
         // ----- Extract the properties
         $v_header['filename'] = rtrim($v_data['filename'], "\0");
-        if ($this->_maliciousFilename($v_header['filename'])) {
+        if ($this->_isMaliciousFilename($v_header['filename'])) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_header['filename'] .
                 '" will not install in desired directory tree'
@@ -1795,9 +1800,9 @@ private function _tarRecToSize($tar_size)
      *
      * @return bool
      */
-    private function _maliciousFilename($file)
+    private function _isMaliciousFilename($file)
     {
-        if (strpos($file, 'phar://') === 0) {
+        if (strpos($file, '://') !== false) {
             return true;
         }
         if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
@@ -1833,7 +1838,7 @@ public function _readLongHeader(&$v_header)
 
         $v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
         $v_header['filename'] = $v_filename;
-        if ($this->_maliciousFilename($v_filename)) {
+        if ($this->_isMaliciousFilename($v_filename)) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_filename .
                 '" will not install in desired directory tree'

pear/archive_tar/package.xml

@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
   <email>stig@php.net</email>
   <active>no</active>
  </helper>
- <date>2019-12-04</date>
- <time>09:25:16</time>
+ <date>2020-11-19</date>
+ <time>22:06:48</time>
  <version>
-  <release>1.4.9</release>
+  <release>1.4.11</release>
   <api>1.4.0</api>
  </version>
  <stability>
@@ -44,7 +44,8 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
  </stability>
  <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
  <notes>
-* Implement Feature #23861: Add option to disallow symlinks [mrook]
+* Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 /
+   CVE-2020-28949) [mrook]
  </notes>
  <contents>
   <dir name="/">
@@ -74,6 +75,37 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
  </dependencies>
  <phprelease />
  <changelog>
+   <release>
+    <version>
+     <release>1.4.10</release>
+     <api>1.4.0</api>
+    </version>
+    <stability>
+     <release>stable</release>
+     <api>stable</api>
+    </stability>
+    <date>2020-09-15</date>
+    <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
+    <notes>
+ * Fix block padding when the file buffer length is a multiple of 512 and smaller than Archive_Tar buffer length
+ * Don&apos;t try to copy username/groupname in chroot jail
+    </notes>
+  </release>
+  <release>
+   <version>
+    <release>1.4.9</release>
+    <api>1.4.0</api>
+   </version>
+   <stability>
+    <release>stable</release>
+    <api>stable</api>
+   </stability>
+   <date>2019-12-04</date>
+   <license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
+   <notes>
+* Implement Feature #23861: Add option to disallow symlinks [mrook]
+   </notes>
+  </release>
   <release>
    <version>
     <release>1.4.8</release>