Security update for php8-pear

Announcement ID:	SUSE-SU-2023:0291-2
Rating:	moderate
References:	jsc#SLE-24728
Cross-References:	CVE-2021-32610
CVSS scores:	CVE-2021-32610 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected Products:	openSUSE Leap 15.4

An update that solves one vulnerability and contains one feature can now be installed.

Description:

This update for php8-pear fixes the following issues:

• Add php8-pear to SLE15-SP4 (jsc#SLE-24728)
• Update to 1.10.21
• PEAR 1.10.13
  • unsupported protocol - use --force to continue
  • Add $this operator to _determineIfPowerpc calls
• Update to 1.10.20
• Archive_Tar 1.4.14
  • Properly fix symbolic link path traversal (CVE-2021-32610)
• Archive_Tar 1.4.13
  • Relative symlinks failing (out-of path file extraction)
• Archive_Tar 1.4.12
• Archive_Tar 1.4.11

• Archive_Tar 1.4.10

  • Fix block padding when the file buffer length is a multiple of 512 and smaller than Archive_Tar buffer length
  • Don't try to copy username/groupname in chroot jail

• provides and obsoletes php7-pear-Archive_Tar, former location of PEAR/Archive/Tar.php

• Update to version 1.10.19

• PEAR 1.10.12
  • adjust dependencies based on new releases

• XML_Util 1.4.5

  • fix Trying to access array offset on value of type int

• Update to version 1.10.18

• Remove pear-cacheid-array-check.patch (upstreamed)

• Contents of .filemap are now sorted internally

• Sort contents of .filemap to make build reproducible

• Recommend php7-openssl to allow https sources to be used

• Modify metadata_dir for system configuration only
• Add /var/lib/pear directory where xml files are stored

• Cleanup %files section

• Only use the GPG keys of Chuck Burgess. Extracted from the Release Manager public keys.

• Add release versions of PEAR modules

• Install metadata files (registry, filemap, channels, ...) in /var/lib/pear/ instead of /usr/share/php7/PEAR/

• Update to version 1.10.17

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2023-291=1

Package List:

• openSUSE Leap 15.4 (noarch)
  • php8-pecl-1.10.21-150400.9.3.1
  • php8-pear-1.10.21-150400.9.3.1

References:

• https://www.suse.com/security/cve/CVE-2021-32610.html
• https://jira.suse.com/browse/SLE-24728