Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
https://www.drupal.org/sa-core-2020-013
https://www.debian.org/security/2020/dsa-4817
https://security.gentoo.org/glsa/202101-23
https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html
https://github.com/pear/Archive_Tar/issues/33
http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html