A NULL pointere dereference vulnerability in tar's metadata parsing was reported. Upstream bug: https://bugs.php.net/bug.php?id=71391 Upstream patch: https://git.php.net/?p=php-src.git;a=commit;h=1c1b8b69982375700d4b011eb89ea48b66dbd5aa
Created php tracking bugs for this issue: Affects: fedora-all [bug 1305565]
This bug is not triggered by a malformed phar archive, but requires a PHP script to perform specific operation on a tar-format phar archive - call to a Phar::delMetadata function. That's rather unlikely, and does not seem to be worth calling security.