1910323 – (CVE-2020-28949) CVE-2020-28949 Archive_Tar: improper filename sanitization leads to file overwrites

Bug 1910323 (CVE-2020-28949) - CVE-2020-28949 Archive_Tar: improper filename sanitization leads to file overwrites

Summary: CVE-2020-28949 Archive_Tar: improper filename sanitization leads to file over...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-28949
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1910450 1910451 1910452 1910453 1910454 2124841 2124842 2170443
Blocks:	1910324
TreeView+	depends on / blocked

Reported:	2020-12-23 13:03 UTC by msiddiqu
Modified:	2023-03-16 13:56 UTC (History)
CC List:	5 users (show)
Fixed In Version:	Archive_Tar 1.4.11
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Archive_Tar package. PEAR Archive_Tar could allow a local authenticated attacker to bypass security restrictions caused by a stream-wrapper attack. An attacker can overwrite arbitrary files on the system using a specially-crafted tar archive.
Clone Of:
Environment:
Last Closed:	2022-10-31 13:45:59 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:6541	None	None	None	2022-09-15 08:26:47 UTC
Red Hat Product Errata	RHSA-2022:6542	None	None	None	2022-09-15 08:29:38 UTC
Red Hat Product Errata	RHSA-2022:7340	None	None	None	2022-11-02 16:36:06 UTC

Description msiddiqu 2020-12-23 13:03:17 UTC

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Comment 1 msiddiqu 2020-12-23 13:04:29 UTC

Upstream issue:

https://github.com/pear/Archive_Tar/issues/33

Upstream commit:

https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da

References: 
 
https://www.drupal.org/sa-core-2020-013

Comment 3 Doran Moppert 2020-12-24 01:21:52 UTC

Note this vulnerability affects the php Archive_Tar package, not the perl package with the same name.  Archive_Tar is included in Fedora and Red Hat Enterprise Linux bundled in the php-pear package.

Comment 6 errata-xmlrpc 2022-09-15 08:26:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6541 https://access.redhat.com/errata/RHSA-2022:6541

Comment 7 errata-xmlrpc 2022-09-15 08:29:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6542 https://access.redhat.com/errata/RHSA-2022:6542

Comment 8 errata-xmlrpc 2022-11-02 16:36:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7340 https://access.redhat.com/errata/RHSA-2022:7340

Note You need to log in before you can comment on or make changes to this bug.