Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
Upstream issue: https://github.com/pear/Archive_Tar/issues/33 Upstream commit: https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da References: https://www.drupal.org/sa-core-2020-013
Note this vulnerability affects the php Archive_Tar package, not the perl package with the same name. Archive_Tar is included in Fedora and Red Hat Enterprise Linux bundled in the php-pear package.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:6541 https://access.redhat.com/errata/RHSA-2022:6541
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6542 https://access.redhat.com/errata/RHSA-2022:6542
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:7340 https://access.redhat.com/errata/RHSA-2022:7340