CVE-2020-36193

NameCVE-2020-36193
DescriptionTar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2530-1, DLA-2621-1, DSA-4894-1
Debian Bugs980428

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
drupal7 (PTS)jessie, jessie (lts)7.32-1+deb8u19vulnerable
stretch (security), stretch (lts), stretch7.52-2+deb9u18fixed
php-pear (PTS)stretch (security), stretch (lts), stretch1:1.10.1+submodules+notgz-9+deb9u3fixed
buster (security), buster, buster (lts)1:1.10.6+submodules+notgz-1.1+deb10u2fixed
bullseye1:1.10.12+submodules+notgz+20210212-1fixed
sid, trixie, bookworm1:1.10.13+submodules+notgz+2022032202-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
drupal7sourcejessie(unfixed)end-of-life
drupal7sourcestretch7.52-2+deb9u14DLA-2530-1
drupal7source(unstable)(unfixed)
php-pearsourcestretch1:1.10.1+submodules+notgz-9+deb9u3DLA-2621-1
php-pearsourcebuster1:1.10.6+submodules+notgz-1.1+deb10u2DSA-4894-1
php-pearsource(unstable)1:1.10.12+submodules+notgz+20210212-1980428

Notes

https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916
https://github.com/pear/Archive_Tar/commit/dc721bd8616e05ea89b7abcff4cf1e3e96963183
https://github.com/pear/Archive_Tar/commit/b6da5c32254162fa0752616479fb3d3c5297c1cf
https://github.com/pear/Archive_Tar/commit/7d8782d95f74b5889bfaaad43e74086f1918ec2b
https://www.drupal.org/sa-core-2021-001

Search for package or bug name: Reporting problems