GHSA-rpw6-9xfx-jvcx

...suggests that 1.4.13 included a new security fix for CVE-2020-28948.

It looks to me like #35 / #36 was a bugfix for a regression caused by the mitigation for CVE-2020-28948 ( cde4605 ), but I don't think it's a new security fix in itself.

Could you please confirm either way @mrook? Thanks!

_writeHeaderBlock in vendor/pear/archive_tar/archive/tar.php contains:

        if (function_exists('posix_getpwuid')) {
            $userinfo = posix_getpwuid($v_info[4]);
            $groupinfo = posix_getgrgid($v_info[5]);

            $v_uname = $userinfo['name'];
            $v_gname = $groupinfo['name'];
        } else {
            $v_uname = '';
            $v_gname = '';
        }

But posix_getpwuid can in fact return false in a chroot jail. This unfortunately isn't documented here:

https://www.php.net/posix_getpwuid

But someone in the comments writes:

If You are useing kernel security module, such as LIDS, GrSec or Selinux it will work only if '/etc/passwd' is readable for user, under which PHP/Apache runs, otherwice you get FALSE.

In my case it's a chroot jail that's preventing access to /etc/passwd.

It would be nice if v_uname and v_gname could be set to an empty string in this case - just like it's done anyway in the else case.

In this line an out-of-path check was introduced, which is supposed to make sure that symbolic links can not point to paths outside of the extracted archive.

This logic does not properly make sure that symbolic links can point upwards of a subfolder inside the archive, it will treat that symbolic link as pointing out-of-path. Example:

invalid -> ../some-path
vendor/bin/some-name -> ../name/name/script.php
vendor/name/name/script.php

Consider the above structure for an archive. While the symlink invalid that points to a folder outside of the archive definitely should be rejected, as of right now the codebase would also reject the supposedly valid symlink vendor/bin/some-name which actually points to vendor/name/name/script.php inside the archive.

For applications where uploaded archives are untrusted, it would be useful to have a way to disallow symlinks. This would effectively protect against exploits that involve archives that point to (and eventually override) system paths. See https://www.exploit-db.com/papers/13199 and https://github.com/BuddhaLabs/PacketStorm-Exploits/blob/master/0101-exploits/tar-symlink.txt for more information.

I'm happy to create a PR for this, but want to check to see if this is a feature you would accept and if so, where it should live. I was thinking of adding it as another parameter to \Archive_Tar::extract.

What do you think?

Should it have been $list = ... ?

When downloading latest version (v1.4.13) via composer it does not seem to contain the security patch for "Disallow symlinks to out-of-path filenames" (cde4605).

This seems to download the following package:
https://codeload.github.com/pear/Archive_Tar/legacy.zip/2b87b41178cc6d4ad3cba678a46a1cae49786011

Steps to reproduce:

1. 'composer require pear/archive_tar'
2. The package.xml states the version as 1.4.13, however if you look in Archive/Tar.php at line 2126 it is missing the code changes above.

Fortiguard blocks this download due to the follwing threat:
https://www.fortiguard.com/encyclopedia/ips/49786

I have submitted this to the PEAR bug tracker as well as the PEAR group mailing list, and I'm not sure if either has gone through, so opening an issue here with the hope that this is the right place for it.

While auditing a separate application which uses Archive_Tar internally, I found that Archive_Tar is vulnerable to object injection through Phar unserialization as well as to local file overwriting by crafting the 'filename' of a file in a tar archive.

Phar unserialization

There was a BlackHat talk by Sam Thomas on exploiting PHP's Phar metadata unserialization behavior a couple of years ago, called "It`s a PHP unserialization vulnerability Jim, but not as we know it", which you can look at for more information.[1][2]

Archive_Tar attempts to defend against this kind of an attack with the following code:

private function _maliciousFilename($file)
{
    if (strpos($file, 'phar://') === 0) {
        return true;
    }
    if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
        return true;
    }
    return false;
}

This is easily bypassable with a crafted tar archive containing a malicious filename specified as PHAR://malicious_file.phar (scheme in capital letters).

I have attached a fully functional exploit that you can run to confirm this vulnerability, download exploit.zip and run as follows (requires phar.readonly to be disabled in php.ini):

$ unzip exploit.zip -d exploit

$ cd ./exploit/phar_poc/

$ chmod 0755 steps.sh

$ ./steps.sh

Local File Overwrite

While Archive_Tar at least attemps to defend against Phar unserialization, other stream wrappers are left unchecked. This allows us to create a crafted tar archive containing a malicious filename specified as file://path/to/file/to/be/overwritten.

If the PHP process is running under a privileged user, this would allow an attacker to even overwrite files like /etc/passwd or /etc/shadow.

I have attached a fully functional exploit that you can run to confirm this vulnerability, download exploit.zip and run as follows:

$ unzip exploit.zip -d exploit

$ cd ./exploit/file_poc/

$ chmod 0755 steps.sh

$ ./steps.sh

Countermeasure

Change private function _maliciousFilename($file) as follows:

private function _maliciousFilename($file)
{
    if (strpos($file, '://') !== false) {
        return true;
    }
    if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
        return true;
    }
    return false;
}

This ensures that along with preventing the above attacks, crafted filenames such as compress.bzip2://phar://exploit.phar also don't pass through. This is a safe check to use because if a filename contains scheme://, it most likely is a malicious file.

It would be great if you could fix and also request a CVE ID?

Attachments: exploit.zip

Note to self: looks like a combination of:

https://pear.php.net/manual/en/developers.release.validating.php

https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository

Testing PHP 7.4 with Drupal 8.8.x we get the following error:

PHPUnit 7.5.16 by Sebastian Bergmann and contributors.

Testing Drupal\Tests\config\Functional\ConfigImportUploadTest
E                                                                   1 / 1 (100%)

Time: 7.46 seconds, Memory: 4.00 MB

There was 1 error:

1) Drupal\Tests\config\Functional\ConfigImportUploadTest::testImport
Exception: Deprecated function: Invalid characters passed for attempted 
conversion, these have been ignored
Archive_Tar->_readHeader()() (Line: 1695)


/var/www/html/core/lib/Drupal/Core/Test/HttpClientMiddleware/TestHttpCl
ientMiddleware.php:51
/var/www/html/vendor/guzzlehttp/promises/src/Promise.php:203
/var/www/html/vendor/guzzlehttp/promises/src/Promise.php:156
/var/www/html/vendor/guzzlehttp/promises/src/TaskQueue.php:47
/var/www/html/vendor/guzzlehttp/promises/src/Promise.php:246
/var/www/html/vendor/guzzlehttp/promises/src/Promise.php:223
/var/www/html/vendor/guzzlehttp/promises/src/Promise.php:267
/var/www/html/vendor/guzzlehttp/promises/src/Promise.php:225
/var/www/html/vendor/guzzlehttp/promises/src/Promise.php:62
/var/www/html/vendor/guzzlehttp/guzzle/src/Client.php:131
/var/www/html/vendor/fabpot/goutte/Goutte/Client.php:180
/var/www/html/vendor/symfony/browser-kit/Client.php:318
/var/www/html/vendor/symfony/browser-kit/Client.php:259
/var/www/html/vendor/behat/mink-browserkit-
driver/src/BrowserKitDriver.php:696
/var/www/html/vendor/behat/mink-browserkit-
driver/src/BrowserKitDriver.php:480
/var/www/html/vendor/behat/mink/src/Element/NodeElement.php:153
/var/www/html/vendor/behat/mink/src/Element/NodeElement.php:161
/var/www/html/core/tests/Drupal/Tests/UiHelperTrait.php:100
/var/www/html/core/tests/Drupal/Tests/UiHelperTrait.php:209
/var/www/html/core/modules/config/tests/src/Functional/ConfigImportUpl
oadTest.php:50

ERRORS!
Tests: 1, Assertions: 9, Errors: 1.

In these 2 lines, a mask of 0777 is used to create directories. This flags some PHP source code security scanners. A safer suggested value here would be 0755:

Per #47 (comment) a shim was added for an old PHP 5 bug.

It causes a warning when validating package.xml and is likely no longer required in the vast majority of cases.

Anyone using an affected PHP version could provide the shim another way.

Hi,
I've been trying to install twofactor_webauthn in NextCloud but kept getting an error "Could not extract app twofactor_webauthn". NextCloud doesn't seem to report the msg from the _error function in Archive_Tar(or I'm not looking in the right place?), but I modified the _error function to log it to file and caught this problem:

Out-of-path file extraction {/tmp/oc_tmp_lrJaMb-folder/twofactor_webauthn/vendor/bin/doctrine-dbal --> ../doctrine/dbal/bin/doctrine-dbalp_path}

That symlink is not out of path, so I'm not sure why it's failing. Here is a link to the tarball to investigate if desired: https://github.com/michib/nextcloud_twofactor_webauthn/releases/download/0.2.6/twofactor_webauthn-0.2.6.tar.gz

And here is a link to the bug report on the NextCloud app:
nextcloud/twofactor_webauthn#48

Thanks!
Rick

Command: ./vendor/bin/phpcs -p vendor/pear --standard=PHPCompatibility --runtime-set testVersion 8.1

There are multiple PHP compatibility errors with debug_backtrace(), (along with multiple warnings). Following are few errors:

pear/archive_tar/tests/phpt_test.php.inc

48 | WARNING | Since PHP 7.0, functions inspecting arguments, like debug_backtrace(), no longer report the original value as passed to a parameter, but will instead provide the current
| | value. The parameter "$trace" was used, and possibly changed (by reference), on line 47.

95 | ERROR | Since PHP 7. 0, functions inspecting arguments, like debug_backtrace(), no longer report the original value as passed to a parameter, but will instead provide the current
| | value. The parameter "$trace" was changed on line 69.

111 | ERROR | Since PHP 7.0, functions inspecting arguments, like debug_backtrace(), no longer report the original value as passed to a parameter, but will instead provide the current
| | value. The parameter "$trace" was changed on line 69.

pear/pear-core-minimal/src/PEAR.php

897 | ERROR | Since PHP 7.0, functions inspecting arguments, like debug_backtrace(), no longer report the original value as passed to a parameter, but will instead provide the current
| | value. The parameter "$mode" was changed on line 887.

Proposed solution:

• Add "DEBUG_BACKTRACE_IGNORE_ARGS".

Question: But Why is this considered a warning at some places and few identified as error.
Does anyone have any thoughts/suggestions on this?

Thanks

Hi guys,

Small nit, the license information in composer is BSD 3-clause and the license in the code is (I'm assuming correct) BSD 2-clause.
Thanks,