CVE-2020-36193

NameCVE-2020-36193
DescriptionTar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2530-1, DLA-2621-1, DSA-4894-1
NVD severitymedium
Debian Bugs980428

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
drupal7 (PTS)stretch7.52-2+deb9u11vulnerable
stretch (security)7.52-2+deb9u15fixed
php-pear (PTS)stretch1:1.10.1+submodules+notgz-9+deb9u1vulnerable
stretch (security)1:1.10.1+submodules+notgz-9+deb9u3fixed
buster1:1.10.6+submodules+notgz-1.1+deb10u1vulnerable
buster (security)1:1.10.6+submodules+notgz-1.1+deb10u2fixed
bullseye, sid1:1.10.12+submodules+notgz+20210212-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
drupal7sourcestretch7.52-2+deb9u14DLA-2530-1
drupal7source(unstable)(unfixed)
php-pearsourcestretch1:1.10.1+submodules+notgz-9+deb9u3DLA-2621-1
php-pearsourcebuster1:1.10.6+submodules+notgz-1.1+deb10u2DSA-4894-1
php-pearsource(unstable)1:1.10.12+submodules+notgz+20210212-1980428

Notes

https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916
https://github.com/pear/Archive_Tar/commit/dc721bd8616e05ea89b7abcff4cf1e3e96963183
https://github.com/pear/Archive_Tar/commit/b6da5c32254162fa0752616479fb3d3c5297c1cf
https://github.com/pear/Archive_Tar/commit/7d8782d95f74b5889bfaaad43e74086f1918ec2b
https://www.drupal.org/sa-core-2021-001

Search for package or bug name: Reporting problems