Advisories for Composer/Pear/Archive_tar package

In Archive_Tar, symlinks can refer to targets outside of the extracted archive.

Tar.php in Archive_Tar allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

archive_tar has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

There are several file operations with $v_header['filename'] as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with phar://[path_to_malicious_phar_file] as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because @unlink($this->_temp_tarname) is called. If another …