CVE-2021-32610

NameCVE-2021-32610
DescriptionIn Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2721-1
NVD severitylow
Debian Bugs991541

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
drupal7 (PTS)stretch7.52-2+deb9u11vulnerable
stretch (security)7.52-2+deb9u16fixed
php-pear (PTS)stretch1:1.10.1+submodules+notgz-9+deb9u1vulnerable
stretch (security)1:1.10.1+submodules+notgz-9+deb9u3vulnerable
buster, buster (security)1:1.10.6+submodules+notgz-1.1+deb10u2vulnerable
bookworm, sid, bullseye1:1.10.12+submodules+notgz+20210212-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
drupal7sourcestretch7.52-2+deb9u16DLA-2721-1
drupal7source(unstable)(unfixed)
php-pearsource(unstable)(unfixed)991541

Notes

[bullseye] - php-pear <no-dsa> (Minor issue)
[buster] - php-pear <no-dsa> (Minor issue)
[stretch] - php-pear <no-dsa> (Minor issue)
https://www.drupal.org/sa-core-2021-004
https://pear.php.net/package/Archive_Tar/download/1.4.14/
https://github.com/pear/Archive_Tar/commit/b5832439b1f37331fb4f87e67fe4f61ca26bf7d4 (1.4.14)

Search for package or bug name: Reporting problems