Problem/Motivation

https://github.com/pear/Archive_Tar/releases/tag/1.4.13 has been released.

This includes at least one security hardening:

https://github.com/pear/Archive_Tar/pull/34

D7 issue to cherry pick / copy paste this PR: #3195939: hardening of destructor in Archive_Tar

Steps to reproduce

n/a

Proposed resolution

Ensure that D8/9 update dependencies.

Remaining tasks

Update composer.json etc..

User interface changes

n/a

API changes

n/a

Data model changes

n/a

Release notes snippet

Archive_Tar has been updated to 1.4.13 for a security hardening.

CommentFileSizeAuthor
#3 archive_tar-3199205-3-8_9_x.patch2.33 KBxjm
#3 archive_tar-3199205-3-9_0_x.patch2.32 KBxjm
#3 archive_tar-3199205-3-9_1_x.patch1.93 KBxjm
#3 archive_tar-3199205-3-9_2_x.patch1.93 KBxjm
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mcdruid created an issue. See original summary.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue summary: View changes
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Status: Active » Needs review
FileSize
archive_tar-3199205-3-9_2_x.patch1.93 KB
archive_tar-3199205-3-9_1_x.patch1.93 KB
archive_tar-3199205-3-9_0_x.patch2.32 KB
archive_tar-3199205-3-8_9_x.patch2.33 KB

Here we go. Included a patch for 9.0.x in case we want to harden that as well.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented

Note that I didn't increase the constraints, since this is an update for a hardening.

mcdruid’s picture

mcdruid
Location 🇬🇧🇪🇺
CreditAttribution: mcdruid at Acquia commented
Status: Needs review » Reviewed & tested by the community

LGTM, thanks!

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott as a volunteer and commented
Status: Reviewed & tested by the community » Fixed

Committed 64e0464 and pushed to 9.2.x. Thanks!
Committed 0f50479 and pushed to 9.1.x. Thanks!
Committed 485d2a3 and pushed to 8.9.x. Thanks!

I skipped the 9.0.x patch because I think that that only gets security releases. So I'm unsure of when we'd release the fix if I committed it there.

  • alexpott committed 485d2a3 on 8.9.x 
    Issue #3199205 by xjm, mcdruid: Update Archive_Tar to 1.4.13

  • alexpott committed 0f50479 on 9.1.x 
    Issue #3199205 by xjm, mcdruid: Update Archive_Tar to 1.4.13

  • alexpott committed 64e0464 on 9.2.x 
    Issue #3199205 by xjm, mcdruid: Update Archive_Tar to 1.4.13
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Version: 8.9.x-dev » 9.0.x-dev
Status: Fixed » Patch (to be ported)
Issue tags: +Needs release manager review

Given that a release manager filed the issue, it's probably safe to assume that it's at least under consideration, no? We do patch releases on the security-covered branch at times when there is a critical or strategic reason for doing so, and I have reasons for exploring it here.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott as a volunteer and commented
Version: 9.0.x-dev » 8.9.x-dev
Status: Patch (to be ported) » Fixed
Issue tags: -Needs release manager review

Committed 0674479 and pushed to 9.0.x. Thanks!

@catch is in favour too along with #10 let's backport to 9.0.x too.

  • alexpott committed 0674479 on 9.0.x 
    Issue #3199205 by xjm, mcdruid: Update Archive_Tar to 1.4.13
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue tags: +9.1.5 release notes, +9.0.10 release notes

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue tags: -9.1.5 release notes, -9.0.10 release notes +9.1.8 release notes, +9.0.13 release notes, +8.9.15 release notes

Fixing tags.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue tags: -9.1.8 release notes

Well actually this went out in 9.1.x already and just didn't get mentioned.