High severityCISA KEVNVD Advisory· Published Jan 18, 2021· Updated Oct 21, 2025
CVE-2020-36193
CVE-2020-36193
Description
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pear/archive_tarPackagist | < 1.4.13 | 1.4.13 |
Affected products
1- Archive_Tar/Archive_Tardescription
Patches
52 files changed · +6 −1
CHANGELOG.txt+5 −0 modified@@ -1,3 +1,8 @@ +Drupal 7.78, 2021-01-19 +----------------------- +- Fixed security issues: + - SA-CORE-2021-001 + Drupal 7.77, 2020-12-03 ----------------------- - Hotfix for schema.prefixed tables
includes/bootstrap.inc+1 −1 modified@@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '7.77'); +define('VERSION', '7.78'); /** * Core API compatibility.
4 files changed · +7 −7
composer.lock+4 −4 modified@@ -663,7 +663,7 @@ }, { "name": "drupal/core", - "version": "8.9.12", + "version": "8.9.13", "dist": { "type": "path", "url": "core", @@ -897,7 +897,7 @@ }, { "name": "drupal/core-project-message", - "version": "8.9.12", + "version": "8.9.13", "dist": { "type": "path", "url": "composer/Plugin/ProjectMessage", @@ -930,7 +930,7 @@ }, { "name": "drupal/core-vendor-hardening", - "version": "8.9.12", + "version": "8.9.13", "dist": { "type": "path", "url": "composer/Plugin/VendorHardening", @@ -6984,5 +6984,5 @@ "prefer-lowest": false, "platform": [], "platform-dev": [], - "plugin-api-version": "1.1.0" + "plugin-api-version": "2.0.0" }
composer/Metapackage/CoreRecommended/composer.json+1 −1 modified@@ -7,7 +7,7 @@ "webflo/drupal-core-strict": "*" }, "require": { - "drupal/core": "8.9.12", + "drupal/core": "8.9.13", "asm89/stack-cors": "1.3.0", "composer/semver": "1.5.1", "doctrine/annotations": "v1.4.0",
composer/Metapackage/PinnedDevDependencies/composer.json+1 −1 modified@@ -7,7 +7,7 @@ "webflo/drupal-core-require-dev": "*" }, "require": { - "drupal/core": "8.9.12", + "drupal/core": "8.9.13", "behat/mink": "v1.8.1", "behat/mink-browserkit-driver": "v1.3.4", "behat/mink-goutte-driver": "v1.2.1",
core/lib/Drupal.php+1 −1 modified@@ -82,7 +82,7 @@ class Drupal { /** * The current system version. */ - const VERSION = '8.9.12'; + const VERSION = '8.9.13'; /** * Core API compatibility.
4 files changed · +7 −7
composer.lock+4 −4 modified@@ -482,7 +482,7 @@ }, { "name": "drupal/core", - "version": "9.0.10", + "version": "9.0.11", "dist": { "type": "path", "url": "core", @@ -729,7 +729,7 @@ }, { "name": "drupal/core-project-message", - "version": "9.0.10", + "version": "9.0.11", "dist": { "type": "path", "url": "composer/Plugin/ProjectMessage", @@ -762,7 +762,7 @@ }, { "name": "drupal/core-vendor-hardening", - "version": "9.0.10", + "version": "9.0.11", "dist": { "type": "path", "url": "composer/Plugin/VendorHardening", @@ -7116,5 +7116,5 @@ "prefer-lowest": false, "platform": [], "platform-dev": [], - "plugin-api-version": "1.1.0" + "plugin-api-version": "2.0.0" }
composer/Metapackage/CoreRecommended/composer.json+1 −1 modified@@ -7,7 +7,7 @@ "webflo/drupal-core-strict": "*" }, "require": { - "drupal/core": "9.0.10", + "drupal/core": "9.0.11", "asm89/stack-cors": "1.3.0", "composer/semver": "1.5.1", "doctrine/annotations": "1.10.3",
composer/Metapackage/PinnedDevDependencies/composer.json+1 −1 modified@@ -7,7 +7,7 @@ "webflo/drupal-core-require-dev": "*" }, "require": { - "drupal/core": "9.0.10", + "drupal/core": "9.0.11", "behat/mink": "v1.8.1", "behat/mink-browserkit-driver": "v1.3.4", "behat/mink-goutte-driver": "v1.2.1",
core/lib/Drupal.php+1 −1 modified@@ -80,7 +80,7 @@ class Drupal { /** * The current system version. */ - const VERSION = '9.0.10'; + const VERSION = '9.0.11'; /** * Core API compatibility.
4 files changed · +6 −6
composer.lock+3 −3 modified@@ -524,7 +524,7 @@ }, { "name": "drupal/core", - "version": "9.1.2", + "version": "9.1.3", "dist": { "type": "path", "url": "core", @@ -776,7 +776,7 @@ }, { "name": "drupal/core-project-message", - "version": "9.1.2", + "version": "9.1.3", "dist": { "type": "path", "url": "composer/Plugin/ProjectMessage", @@ -809,7 +809,7 @@ }, { "name": "drupal/core-vendor-hardening", - "version": "9.1.2", + "version": "9.1.3", "dist": { "type": "path", "url": "composer/Plugin/VendorHardening",
composer/Metapackage/CoreRecommended/composer.json+1 −1 modified@@ -7,7 +7,7 @@ "webflo/drupal-core-strict": "*" }, "require": { - "drupal/core": "9.1.2", + "drupal/core": "9.1.3", "asm89/stack-cors": "1.3.0", "composer/semver": "3.2.2", "doctrine/annotations": "1.11.1",
composer/Metapackage/PinnedDevDependencies/composer.json+1 −1 modified@@ -7,7 +7,7 @@ "webflo/drupal-core-require-dev": "*" }, "require": { - "drupal/core": "9.1.2", + "drupal/core": "9.1.3", "behat/mink": "v1.8.1", "behat/mink-browserkit-driver": "v1.3.4", "behat/mink-goutte-driver": "v1.2.1",
core/lib/Drupal.php+1 −1 modified@@ -80,7 +80,7 @@ class Drupal { /** * The current system version. */ - const VERSION = '9.1.2'; + const VERSION = '9.1.3'; /** * Core API compatibility.
cde460582ff3Disallow symlinks to out-of-path filenames
3 files changed · +26 −0
Archive/Tar.php+8 −0 modified@@ -2124,6 +2124,14 @@ public function _extractList( } } } elseif ($v_header['typeflag'] == "2") { + if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) { + $this->_error( + 'Out-of-path file extraction {' + . $v_header['filename'] . ' --> ' . + $v_header['link'] . '}' + ); + return false; + } if (!$p_symlinks) { $this->_warning('Symbolic links are not allowed. ' . 'Unable to extract {'
tests/out_of_path_fnames.phpt+18 −0 added@@ -0,0 +1,18 @@ +--TEST-- +tests writes to out-of-path filenames +--SKIPIF-- +--FILE-- +<?php +require_once dirname(__FILE__) . '/setup.php.inc'; +$tar = new Archive_Tar(dirname(__FILE__) . '/out_of_path_symlink.tar'); +$tar->extract(); +$phpunit->assertErrors(array(array('package' => 'PEAR_Error', 'message' => "Out-of-path file extraction {symlink --> /tmp/}")), 'after 1'); +$phpunit->assertFileNotExists('symlink/whatever-filename', 'Out-of-path filename should not have succeeded'); +echo 'tests done'; +?> +--CLEAN-- +<?php +@unlink("symlink"); +?> +--EXPECT-- +tests done
tests/out_of_path_symlink.tar+0 −0 added
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
23- github.com/advisories/GHSA-rpw6-9xfx-jvcxghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-36193ghsaADVISORY
- security.gentoo.org/glsa/202101-23ghsavendor-advisoryx_refsource_GENTOOWEB
- www.debian.org/security/2021/dsa-4894ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2020-36193.yamlghsaWEB
- github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916ghsax_refsource_MISCWEB
- github.com/pear/Archive_Tar/issues/35ghsaWEB
- lists.debian.org/debian-lts-announce/2021/01/msg00018.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00007.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEURghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5NghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEURghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5NghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FHghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
- www.drupal.org/sa-core-2021-001ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.