diff -Nru php-pear-1.10.5+submodules+notgz/debian/changelog php-pear-1.10.5+submodules+notgz/debian/changelog
--- php-pear-1.10.5+submodules+notgz/debian/changelog	2019-01-11 18:23:21.000000000 +0000
+++ php-pear-1.10.5+submodules+notgz/debian/changelog	2020-11-30 15:02:42.000000000 +0000
@@ -1,3 +1,13 @@
+php-pear (1:1.10.5+submodules+notgz-1ubuntu1.18.04.2) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: unserialization attack in Archive_Tar
+    - debian/patches/CVE-2020-2894x.patch: catch additional malicious or
+      crafted filenames in submodules/Archive_Tar/Archive/Tar.php.
+    - CVE-2020-28948
+    - CVE-2020-28949
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 30 Nov 2020 10:02:42 -0500
+
 php-pear (1:1.10.5+submodules+notgz-1ubuntu1.18.04.1) bionic-security; urgency=medium
 
   * SECURITY UPDATE: unserialization vulnerability in Archive_Tar
diff -Nru php-pear-1.10.5+submodules+notgz/debian/patches/CVE-2020-2894x.patch php-pear-1.10.5+submodules+notgz/debian/patches/CVE-2020-2894x.patch
--- php-pear-1.10.5+submodules+notgz/debian/patches/CVE-2020-2894x.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-pear-1.10.5+submodules+notgz/debian/patches/CVE-2020-2894x.patch	2020-11-30 15:02:18.000000000 +0000
@@ -0,0 +1,42 @@
+From 0670a05fdab997036a3fc3ef113b8f5922e574da Mon Sep 17 00:00:00 2001
+From: Michiel Rook <michiel@michielrook.nl>
+Date: Thu, 19 Nov 2020 09:52:43 +0100
+Subject: [PATCH] Fixes #33 - ensure we catch additional malicious/crafted
+ filenames
+
+---
+ Archive/Tar.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/submodules/Archive_Tar/Archive/Tar.php
++++ b/submodules/Archive_Tar/Archive/Tar.php
+@@ -1695,7 +1695,7 @@ class Archive_Tar extends PEAR
+ 
+         // ----- Extract the properties
+         $v_header['filename'] = rtrim($v_data['filename'], "\0");
+-        if ($this->_maliciousFilename($v_header['filename'])) {
++        if ($this->_isMaliciousFilename($v_header['filename'])) {
+             $this->_error(
+                 'Malicious .tar detected, file "' . $v_header['filename'] .
+                 '" will not install in desired directory tree'
+@@ -1765,9 +1765,9 @@ class Archive_Tar extends PEAR
+      *
+      * @return bool
+      */
+-    private function _maliciousFilename($file)
++    private function _isMaliciousFilename($file)
+     {
+-        if (strpos($file, 'phar://') === 0) {
++        if (strpos($file, '://') !== false) {
+             return true;
+         }
+         if (strpos($file, '/../') !== false) {
+@@ -1806,7 +1806,7 @@ class Archive_Tar extends PEAR
+ 
+         $v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
+         $v_header['filename'] = $v_filename;
+-        if ($this->_maliciousFilename($v_filename)) {
++        if ($this->_isMaliciousFilename($v_filename)) {
+             $this->_error(
+                 'Malicious .tar detected, file "' . $v_filename .
+                 '" will not install in desired directory tree'
diff -Nru php-pear-1.10.5+submodules+notgz/debian/patches/series php-pear-1.10.5+submodules+notgz/debian/patches/series
--- php-pear-1.10.5+submodules+notgz/debian/patches/series	2019-01-11 18:23:14.000000000 +0000
+++ php-pear-1.10.5+submodules+notgz/debian/patches/series	2020-11-30 15:02:14.000000000 +0000
@@ -2,3 +2,4 @@
 0002-Fix-PECL-extensions-FTBFS-with-PHP-Fatal-error-Call-.patch
 php72_count_of_notcountable.patch
 CVE-2018-1000888.patch
+CVE-2020-2894x.patch