The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. References: https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1 https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1 https://typo3.org/security/advisory/typo3-psa-2019-007/
Created php-typo3-phar-stream-wrapper tracking bugs for this issue: Affects: fedora-all [bug 1708651] Created php-typo3-phar-stream-wrapper2 tracking bugs for this issue: Affects: fedora-all [bug 1708652]
Created php-typo3-phar-stream-wrapper2 tracking bugs for this issue: Affects: epel-7 [bug 1708653]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.