This bug is not triggered by a malformed phar archive, but requires a PHP script to perform specific operation on a tar-format phar archive - call to a Phar::delMetadata function. That's rather unlikely, and does not seem to be worth calling security.