Github published a security (dependabot) advisory around 2021-04-22 about Archive_Tar and CVE-2020-36193:

https://github.com/advisories/GHSA-rpw6-9xfx-jvcx

The advisory initially stated that 1.4.13 is the "Patched version" and previous versions were vulnerable.

This was inaccurate; the 1.4.12 release addressed CVE-2020-36193 and the Drupal Security Team issued https://www.drupal.org/sa-core-2021-001 at the time.

The 1.4.13 release of Archive_Tar included a fix for a regression introduced by the security mitigation in the previous release (which we presume is where the confusion arose), but this was not a security release itself. The maintainer of Archive_Tar has confirmed this:

https://github.com/pear/Archive_Tar/issues/38

We've notified github of this error and are told that the advisory is being updated.

Drupal will be updating to newer releases of Archive_Tar in due course as appropriate, but not as an emergency security release.

Thank you to everyone who reported this to the Drupal Security Team. Reminder to report issues like this privately even if the release / advisory information is public; this allows us to consider and discuss the potential impact on Drupal without divulging any potentially useful information to bad actors.

Comments

mcdruid created an issue. See original summary.

mcdruid’s picture

mcdruid commented
Issue summary: View changes
mcdruid’s picture

mcdruid commented
Status: Active » Fixed

Github revised the advisory with some extra details; it still lists 1.4.13 as the "patched version" but now specifies:

Affected versions <= 1.4.11

There is also a note about the regression and fix:

There was an initial fix for this vulnerability made in version 1.4.12. That fix introduced a bug which was fixed in 1.4.13. Therefore we have set the first-patched-version to 1.4.13 which the earliest working version that avoids this vulnerability.

The vulnerability, and regression, relate to extracting symlinks within archives.

Drupal 7/8/9 all use a wrapper class for Archive_Tar and in all cases there is no support for allowing symlinks (the $p_symlinks parameter) when archives are extracted:

https://github.com/pear/Archive_Tar/blob/1.4.13/Archive/Tar.php#L312

https://git.drupalcode.org/project/drupal/-/blob/7.80/modules/system/sys...

https://git.drupalcode.org/project/drupal/-/blob/9.1.7/core/lib/Drupal/C...

(there's no significant difference in this class between the supported 8 and 9 branches).

Therefore there should be no urgent need to update Archive_Tar on a Drupal site, unless the class is used directly utilising the optional symlink extraction support in a way that core does not.

The Roave/SecurityAdvisories repo has rolled back the version change based on the revision to the github advisory:

https://github.com/Roave/SecurityAdvisories/commit/3c97c13698c448fdbbda2...

So - as mentioned in the IS - Drupal will carry on updating Archive_Tar as appropriate, but not as a security release.

Not anticipating any further developments, so will close this issue.

xjm’s picture

xjm
she/her
Primary language English
commented
Status: Fixed » Active

Note that HEAD in 9.2.x, 9.1.x, 9.0.x, and 8.9.x already use Archive_Tar 1.4.13 in their lockfiles and in the drupal/core-recommended metapackage constraints; it is just that we will not increase drupal/core's requirement since core is not vulnerable, and there hasn't been a release containing this update for 9.0.x and 8.9.x yet.

xjm’s picture

xjm
she/her
Primary language English
commented
Version: 9.2.x-dev » 8.9.x-dev

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

xjm’s picture

xjm
she/her
Primary language English
commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.