CVE-2021-32610

NameCVE-2021-32610
DescriptionIn Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2721-1
Debian Bugs991541

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-pear (PTS)bullseye1:1.10.12+submodules+notgz+20210212-1vulnerable
sid, trixie, bookworm1:1.10.13+submodules+notgz+2022032202-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
drupal7sourcestretch7.52-2+deb9u16DLA-2721-1
drupal7source(unstable)(unfixed)
php-pearsource(unstable)1:1.10.13+submodules+notgz-1991541

Notes

[bullseye] - php-pear <no-dsa> (Minor issue)
[buster] - php-pear <no-dsa> (Minor issue)
[stretch] - php-pear <no-dsa> (Minor issue)
https://www.drupal.org/sa-core-2021-004
https://pear.php.net/package/Archive_Tar/download/1.4.14/
https://github.com/pear/Archive_Tar/commit/b5832439b1f37331fb4f87e67fe4f61ca26bf7d4 (1.4.14)
Search for package or bug name: Reporting problems