Control: tags 976108 + patch Control: tags 976108 + pending
Dear maintainer, I've prepared an NMU for php-pear (versioned as 1:1.10.9+submodules+notgz-1.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru php-pear-1.10.9+submodules+notgz/debian/changelog php-pear-1.10.9+submodules+notgz/debian/changelog --- php-pear-1.10.9+submodules+notgz/debian/changelog 2019-08-01 23:15:22.000000000 +0200 +++ php-pear-1.10.9+submodules+notgz/debian/changelog 2020-12-06 14:40:37.000000000 +0100 @@ -1,3 +1,11 @@ +php-pear (1:1.10.9+submodules+notgz-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * ensure we catch additional malicious/crafted filenames (CVE-2020-28948, + CVE-2020-28949) (Closes: #976108) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 06 Dec 2020 14:40:37 +0100 + php-pear (1:1.10.9+submodules+notgz-1) unstable; urgency=low [ Ond??ej Sur?? ] diff -Nru php-pear-1.10.9+submodules+notgz/debian/patches/0004-Fixes-33-ensure-we-catch-additional-malicious-crafte.patch php-pear-1.10.9+submodules+notgz/debian/patches/0004-Fixes-33-ensure-we-catch-additional-malicious-crafte.patch --- php-pear-1.10.9+submodules+notgz/debian/patches/0004-Fixes-33-ensure-we-catch-additional-malicious-crafte.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-pear-1.10.9+submodules+notgz/debian/patches/0004-Fixes-33-ensure-we-catch-additional-malicious-crafte.patch 2020-12-06 14:40:37.000000000 +0100 @@ -0,0 +1,50 @@ +From: Michiel Rook <mich...@michielrook.nl> +Date: Thu, 19 Nov 2020 09:52:43 +0100 +Subject: Fixes #33 - ensure we catch additional malicious/crafted filenames +Origin: https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da +Bug: https://github.com/pear/Archive_Tar/issues/33 +Bug-Debian: https://bugs.debian.org/976108 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-28948 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-28949 + +--- + submodules/Archive_Tar/Archive/Tar.php | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/submodules/Archive_Tar/Archive/Tar.php b/submodules/Archive_Tar/Archive/Tar.php +index 5a52ce818c89..92710741c542 100644 +--- a/submodules/Archive_Tar/Archive/Tar.php ++++ b/submodules/Archive_Tar/Archive/Tar.php +@@ -1730,7 +1730,7 @@ class Archive_Tar extends PEAR + + // ----- Extract the properties + $v_header['filename'] = rtrim($v_data['filename'], "\0"); +- if ($this->_maliciousFilename($v_header['filename'])) { ++ if ($this->_isMaliciousFilename($v_header['filename'])) { + $this->_error( + 'Malicious .tar detected, file "' . $v_header['filename'] . + '" will not install in desired directory tree' +@@ -1800,9 +1800,9 @@ class Archive_Tar extends PEAR + * + * @return bool + */ +- private function _maliciousFilename($file) ++ private function _isMaliciousFilename($file) + { +- if (strpos($file, 'phar://') === 0) { ++ if (strpos($file, '://') !== false) { + return true; + } + if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) { +@@ -1838,7 +1838,7 @@ class Archive_Tar extends PEAR + + $v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0"); + $v_header['filename'] = $v_filename; +- if ($this->_maliciousFilename($v_filename)) { ++ if ($this->_isMaliciousFilename($v_filename)) { + $this->_error( + 'Malicious .tar detected, file "' . $v_filename . + '" will not install in desired directory tree' +-- +2.29.2 + diff -Nru php-pear-1.10.9+submodules+notgz/debian/patches/series php-pear-1.10.9+submodules+notgz/debian/patches/series --- php-pear-1.10.9+submodules+notgz/debian/patches/series 2019-08-01 23:14:41.000000000 +0200 +++ php-pear-1.10.9+submodules+notgz/debian/patches/series 2020-12-06 14:40:37.000000000 +0100 @@ -1,3 +1,4 @@ 0001-Fix-PECL-extensions-FTBFS-with-PHP-Fatal-error-Call-.patch 0002-Fix-manpage-warning.patch 0003-Implement-the-SOURCE_DATE_EPOCH-specification.patch +0004-Fixes-33-ensure-we-catch-additional-malicious-crafte.patch
