diff -Nru php-pear-1.10.12+submodules+notgz+20210212/debian/changelog php-pear-1.10.12+submodules+notgz+20210212/debian/changelog --- php-pear-1.10.12+submodules+notgz+20210212/debian/changelog 2021-02-12 08:05:38.000000000 +0000 +++ php-pear-1.10.12+submodules+notgz+20210212/debian/changelog 2021-07-28 14:39:27.000000000 +0000 @@ -1,3 +1,17 @@ +php-pear (1:1.10.12+submodules+notgz+20210212-1ubuntu1) impish; urgency=medium + + * SECURITY REGRESSIONS: + - debian/patches/CVE-2020-36193-2.patch: fix out-of-path check for + virtual relative symlink in submodules/Archive_Tar/Archive/Tar.php. + - debian/patches/CVE-2020-36193-3.patch: PHP compat fix in + submodules/Archive_Tar/Archive/Tar.php. + * SECURITY UPDATE: incorrect symlink extraction + - debian/patches/CVE-2021-32610.patch: properly fix symbolic link path + traversal in submodules/Archive_Tar/Archive/Tar.php. + - CVE-2021-32610 + + -- Marc Deslauriers Wed, 28 Jul 2021 10:39:27 -0400 + php-pear (1:1.10.12+submodules+notgz+20210212-1) unstable; urgency=medium [ Ondřej Surý ] diff -Nru php-pear-1.10.12+submodules+notgz+20210212/debian/control php-pear-1.10.12+submodules+notgz+20210212/debian/control --- php-pear-1.10.12+submodules+notgz+20210212/debian/control 2021-02-12 08:05:38.000000000 +0000 +++ php-pear-1.10.12+submodules+notgz+20210212/debian/control 2021-07-28 14:39:27.000000000 +0000 @@ -1,7 +1,8 @@ Source: php-pear Section: php Priority: optional -Maintainer: Debian PHP Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian PHP Maintainers Uploaders: Mathieu Parent , Ondřej Surý Build-Depends: debhelper (>= 9.20160709~), diff -Nru php-pear-1.10.12+submodules+notgz+20210212/debian/patches/CVE-2020-36193-2.patch php-pear-1.10.12+submodules+notgz+20210212/debian/patches/CVE-2020-36193-2.patch --- php-pear-1.10.12+submodules+notgz+20210212/debian/patches/CVE-2020-36193-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-pear-1.10.12+submodules+notgz+20210212/debian/patches/CVE-2020-36193-2.patch 2021-07-28 14:38:32.000000000 +0000 @@ -0,0 +1,41 @@ +From b6da5c32254162fa0752616479fb3d3c5297c1cf Mon Sep 17 00:00:00 2001 +From: Wolfgang Popp +Date: Tue, 2 Feb 2021 23:32:18 +0100 +Subject: [PATCH] Fix out-of-path check for virtual relative symlink + +A symlink is out-of-path if it is an absolute path or goes "up" too many +times. This checks how deep the filename is and whether the link points +more levels up than the depth of the filename. +--- + Archive/Tar.php | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/submodules/Archive_Tar/Archive/Tar.php ++++ b/submodules/Archive_Tar/Archive/Tar.php +@@ -2124,7 +2124,25 @@ class Archive_Tar extends PEAR + } + } + } elseif ($v_header['typeflag'] == "2") { +- if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) { ++ $link_depth = 0; ++ foreach (explode("/", $v_header['filename']) as $dir) { ++ if ($dir === "..") { ++ $link_depth--; ++ } elseif ($dir !== "" && $dir !== "." ) { ++ $link_depth++; ++ } ++ } ++ foreach (explode("/", $v_header['link']) as $dir){ ++ if ($link_depth <= 0) { ++ break; ++ } ++ if ($dir === "..") { ++ $link_depth--; ++ } elseif ($dir !== "" && $dir !== ".") { ++ $link_depth++; ++ } ++ } ++ if (str_starts_with($v_header['link'], "/") or $link_depth <= 0) { + $this->_error( + 'Out-of-path file extraction {' + . $v_header['filename'] . ' --> ' . diff -Nru php-pear-1.10.12+submodules+notgz+20210212/debian/patches/CVE-2020-36193-3.patch php-pear-1.10.12+submodules+notgz+20210212/debian/patches/CVE-2020-36193-3.patch --- php-pear-1.10.12+submodules+notgz+20210212/debian/patches/CVE-2020-36193-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-pear-1.10.12+submodules+notgz+20210212/debian/patches/CVE-2020-36193-3.patch 2021-07-28 14:38:37.000000000 +0000 @@ -0,0 +1,20 @@ +From 7d8782d95f74b5889bfaaad43e74086f1918ec2b Mon Sep 17 00:00:00 2001 +From: Michiel Rook +Date: Thu, 4 Feb 2021 09:51:52 +0100 +Subject: [PATCH] PHP compat fix + +--- + Archive/Tar.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/submodules/Archive_Tar/Archive/Tar.php ++++ b/submodules/Archive_Tar/Archive/Tar.php +@@ -2142,7 +2142,7 @@ class Archive_Tar extends PEAR + $link_depth++; + } + } +- if (str_starts_with($v_header['link'], "/") or $link_depth <= 0) { ++ if (strpos($v_header['link'], "/") === 0 or $link_depth <= 0) { + $this->_error( + 'Out-of-path file extraction {' + . $v_header['filename'] . ' --> ' . diff -Nru php-pear-1.10.12+submodules+notgz+20210212/debian/patches/CVE-2021-32610.patch php-pear-1.10.12+submodules+notgz+20210212/debian/patches/CVE-2021-32610.patch --- php-pear-1.10.12+submodules+notgz+20210212/debian/patches/CVE-2021-32610.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-pear-1.10.12+submodules+notgz+20210212/debian/patches/CVE-2021-32610.patch 2021-07-28 14:39:18.000000000 +0000 @@ -0,0 +1,82 @@ +From b5832439b1f37331fb4f87e67fe4f61ca26bf7d4 Mon Sep 17 00:00:00 2001 +From: Michiel Rook +Date: Sun, 18 Jul 2021 17:21:58 +0200 +Subject: [PATCH] Properly fix symbolic link path traversal (CVE-2021-32610) + +--- + Archive/Tar.php | 50 ++++++++++++++++++++++++++++--------------------- + 1 file changed, 29 insertions(+), 21 deletions(-) + +diff --git a/submodules/Archive_Tar/Archive/Tar.php b/submodules/Archive_Tar/Archive/Tar.php +index a8c9501..3356ad6 100644 +--- a/submodules/Archive_Tar/Archive/Tar.php ++++ b/submodules/Archive_Tar/Archive/Tar.php +@@ -2124,25 +2124,40 @@ public function _extractList( + } + } + } elseif ($v_header['typeflag'] == "2") { ++ if (!$p_symlinks) { ++ $this->_warning('Symbolic links are not allowed. ' ++ . 'Unable to extract {' ++ . $v_header['filename'] . '}' ++ ); ++ return false; ++ } ++ $absolute_link = FALSE; + $link_depth = 0; +- foreach (explode("/", $v_header['filename']) as $dir) { +- if ($dir === "..") { +- $link_depth--; +- } elseif ($dir !== "" && $dir !== "." ) { +- $link_depth++; +- } ++ if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) { ++ $absolute_link = TRUE; + } +- foreach (explode("/", $v_header['link']) as $dir){ +- if ($link_depth <= 0) { +- break; ++ else { ++ $s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']); ++ $s_linkname = str_replace('\\', '/', $v_header['link']); ++ foreach (explode("/", $s_filename) as $dir) { ++ if ($dir === "..") { ++ $link_depth--; ++ } elseif ($dir !== "" && $dir !== "." ) { ++ $link_depth++; ++ } + } +- if ($dir === "..") { +- $link_depth--; +- } elseif ($dir !== "" && $dir !== ".") { +- $link_depth++; ++ foreach (explode("/", $s_linkname) as $dir){ ++ if ($link_depth <= 0) { ++ break; ++ } ++ if ($dir === "..") { ++ $link_depth--; ++ } elseif ($dir !== "" && $dir !== ".") { ++ $link_depth++; ++ } + } + } +- if (strpos($v_header['link'], "/") === 0 or $link_depth <= 0) { ++ if ($absolute_link || $link_depth <= 0) { + $this->_error( + 'Out-of-path file extraction {' + . $v_header['filename'] . ' --> ' . +@@ -2150,13 +2165,6 @@ public function _extractList( + ); + return false; + } +- if (!$p_symlinks) { +- $this->_warning('Symbolic links are not allowed. ' +- . 'Unable to extract {' +- . $v_header['filename'] . '}' +- ); +- return false; +- } + if (@file_exists($v_header['filename'])) { + @unlink($v_header['filename']); + } diff -Nru php-pear-1.10.12+submodules+notgz+20210212/debian/patches/series php-pear-1.10.12+submodules+notgz+20210212/debian/patches/series --- php-pear-1.10.12+submodules+notgz+20210212/debian/patches/series 2021-02-12 08:05:38.000000000 +0000 +++ php-pear-1.10.12+submodules+notgz+20210212/debian/patches/series 2021-07-28 14:38:44.000000000 +0000 @@ -1 +1,4 @@ 0001-Fix-PECL-extensions-FTBFS-with-PHP-Fatal-error-Call-.patch +CVE-2020-36193-2.patch +CVE-2020-36193-3.patch +CVE-2021-32610.patch