In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193. References: https://github.com/pear/Archive_Tar/releases/tag/1.4.14 https://lists.debian.org/debian-lts-announce/2021/07/msg00023.html https://www.drupal.org/sa-core-2021-004 https://github.com/pear/Archive_Tar/commit/b5832439b1f37331fb4f87e67fe4f
After analysis, the issue stems from a lack of checking if a symlink was outside of the archive. Since this check was not made, symlinks could be followed outside of the archive and lead to modification of the filesystem outside of the archive which could result in affecting existing files or creation of new files.
Created php-pear tracking bugs for this issue: Affects: fedora-all [bug 1989558]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7628 https://access.redhat.com/errata/RHSA-2022:7628
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-32610