In this line an out-of-path check was introduced, which is supposed to make sure that symbolic links can not point to paths outside of the extracted archive.

This logic does not properly make sure that symbolic links can point upwards of a subfolder inside the archive, it will treat that symbolic link as pointing out-of-path. Example:

invalid -> ../some-path
vendor/bin/some-name -> ../name/name/script.php
vendor/name/name/script.php

Consider the above structure for an archive. While the symlink invalid that points to a folder outside of the archive definitely should be rejected, as of right now the codebase would also reject the supposedly valid symlink vendor/bin/some-name which actually points to vendor/name/name/script.php inside the archive.

Already has been fixed with https://github.com/pear/Archive_Tar/releases/tag/1.4.13. I have found this to be an issue in another project still and forgot to check the newer versions, sorry about that.