Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. https://github.com/pear/Archive_Tar/issues/33 https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/
Created perl-Archive-Tar tracking bugs for this issue: Affects: fedora-all [bug 1904002]
Upstream issue: https://github.com/pear/Archive_Tar/issues/33 Upstream commit: https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da References: Drupal: https://www.drupal.org/sa-core-2020-013
Note this vulnerability affects the php Archive_Tar package, not the perl package with the same name. Archive_Tar is included in Fedora and Red Hat Enterprise Linux bundled in the php-pear package.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:6541 https://access.redhat.com/errata/RHSA-2022:6541
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6542 https://access.redhat.com/errata/RHSA-2022:6542
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:7340 https://access.redhat.com/errata/RHSA-2022:7340
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-28948