Bug 27664

Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => mageia
Keywords: (none) => Triaged

this one is tricky.
we have php-pear-Archive_Tar-1.4.10-1 which can't be installed, as it is already provided by php-pear.
php-pear is a multi-source rpm and the autosetup macro does not provide multiple -a switches (#27669) which makes it more complicate to patch.

Unless we consider this to be severe, I would wait for the next release of php-pear-Archive_Tar and obsolete the conflicting package

Can we patch it in php-pear like Debian did?

only the old way.
we have no "setup". only tar -xzf ...
so we have to apply the patches manually afterwards :(
and due to the autosetup bug, I can't unpack multiple packages in one rpm and patch them afterwards :/

Ubuntu has issued an advisory for this on December 1:
https://ubuntu.com/security/notices/USN-4654-1

Source RPM: php-pear-Archive_Tar-1.4.10-1.mga8.src.rpm => php-pear-1.10.12-1.mga8.src.rpm, php-pear-Archive_Tar-1.4.10-1.mga8.src.rpm
Summary: php-pear-Archive_Tar new security issues CVE-2020-28948, CVE-2020-28949 => php-pear, php-pear-Archive_Tar new security issues CVE-2020-28948 and CVE-2020-28949

Fedora has issued an advisory for this today (December 2):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/

Updated php-pear packages fix security vulnerabilities:

Fix Bug #27002: Filename manipulation vulnerabilities (CVE-2020-28948 / 
CVE-2020-28949)

Updated Archive_Tar to 1.4.11

References:
https://www.debian.org/lts/security/2020/dla-2465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949
========================

Updated packages in core/updates_testing:
========================
php-pear-1.10.9-1.1.mga7.noarch.rpm

SRPM:
php-pear-1.10.9-1.1.mga7.src.rpm

Assignee: mageia => qa-bugs

MGA7-64 MATE on Peaq C1011
No installation issues.
No previous updates on this specific option, so went looking for info and found
https://github.com/pear/Archive_Tar (other site replicated the same info).
So tried the two commands for testing
$ phpunit tests/ 
bash: phpunit: command not found
and
$ pear run-tests -r
PHP Warning:  PHP Startup: Unable to load dynamic library 'xml' (tried: /usr/lib64/php/extensions/xml (/usr/lib64/php/extensions/xml: cannot open shared object file: No such file or directory), /usr/lib64/php/extensions/xml.so (/usr/lib64/php/extensions/xml.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Running 0 tests
TOTAL TIME: 00:00
0 PASSED TESTS
0 SKIPPED TESTS

Looks to me like other packages are needed to run these tests, but that's not in my league.
Unless someone else has a better idea, I will not object on OK on clean install as we often do with developer stuff.

CC: (none) => herman.viaene

The changes are minor, so I think this can be pushed.

Advisory pushed to SVN.
Validating.

Advisory:
========================

Updated php-pear packages fix security vulnerabilities:

Filename manipulation vulnerabilities (CVE-2020-28948 / CVE-2020-28949)

Updated also Archive_Tar to 1.4.11.

References:
https://www.debian.org/lts/security/2020/dla-2465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949
========================

Updated packages in core/updates_testing:
========================
php-pear-1.10.9-1.1.mga7.noarch.rpm

SRPM:
php-pear-1.10.9-1.1.mga7.src.rpm

Source RPM: php-pear-1.10.12-1.mga8.src.rpm, php-pear-Archive_Tar-1.4.10-1.mga8.src.rpm => php-pear-1.10.9-1.mga7.src.rpm, php-pear-Archive_Tar-1.4.5-1.mga7.src.rpm
Keywords: Triaged => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0453.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED