Bug 1988558 (CVE-2021-32610) - CVE-2021-32610 php-pear: Directory traversal vulnerability
Summary: CVE-2021-32610 php-pear: Directory traversal vulnerability
Keywords:
Status: NEW
Alias: CVE-2021-32610
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1989192 1989193 1989194 1989558 1989559
Blocks: 1988559
TreeView+ depends on / blocked
 
Reported: 2021-07-30 19:53 UTC by Pedro Sampaio
Modified: 2022-11-08 09:52 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7628 0 None None None 2022-11-08 09:52:08 UTC

Description Pedro Sampaio 2021-07-30 19:53:47 UTC
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.

References:

https://github.com/pear/Archive_Tar/releases/tag/1.4.14
https://lists.debian.org/debian-lts-announce/2021/07/msg00023.html
https://www.drupal.org/sa-core-2021-004
https://github.com/pear/Archive_Tar/commit/b5832439b1f37331fb4f87e67fe4f

Comment 2 Garrett Tucker 2021-08-02 16:23:39 UTC
After analysis, the issue stems from a lack of checking if a symlink was outside of the archive. Since this check was not made, symlinks could be followed outside of the archive and lead to modification of the filesystem outside of the archive which could result in affecting existing files or creation of new files.

Comment 3 Garrett Tucker 2021-08-03 13:13:17 UTC
Created php-pear tracking bugs for this issue:

Affects: fedora-all [bug 1989558]

Comment 5 errata-xmlrpc 2022-11-08 09:52:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7628 https://access.redhat.com/errata/RHSA-2022:7628


Note You need to log in before you can comment on or make changes to this bug.