Hi Salvatore, Gunnar, all
When looking further into this issue I do not think drupal7 is completely
fixed.
The durpal 7 package include the following fix:
+ if (strpos(realpath(dirname($v_header['link'])),
realpath($p_path)) !== 0) {
But it is missing the depth check
https://github.com/pear/Archive_Tar/commit/b6da5c32254162fa0752616479fb3d3c5297c1cf
Or is it something that makes that depth check unnecessary?
I'm asking since I'm looking into the php-pear fix and it should be very
similar to the drupal 7 fix.
Cheers
// Ola
On Thu, 25 Feb 2021 at 23:04, Ola Lundqvist <o...@inguza.com> wrote:
> Great! Thank you all for the good answers.
>
> // Ola
>
> On Thu, 25 Feb 2021 at 10:53, Salvatore Bonaccorso <car...@debian.org>
> wrote:
>
>> Hi,
>>
>> On Thu, Feb 25, 2021 at 09:09:08AM +0000, Chris Lamb wrote:
>> > Morning Ola,
>> >
>> > > Today I looked at CVE-2020-36193 since we have php-pear in dla-needed.
>> > > Ths thing is that this CVE tells that drupal7 is also vulnerable but
>> > > drupal7 is not in dla-needed.txt.
>> >
>> > It may be that drupal7 was not marked as being vulnerable to
>> > CVE-2020-36193 at the time of triage. After all, the code copy of
>> > Tar.php (in "system.tar.inc") is very slightly hidden. I would go
>> > ahead and add drupal7 as well -- a very quick glance suggests that it
>> > is, indeed, vulnerable.
>>
>> The specifc issue was already fixed in drupal7 by Gunnar's upload in
>> DLA 2530-1.
>>
>> Regards,
>> Salvatore
>>
>
>
> --
> --- Inguza Technology AB --- MSc in Information Technology ----
> | o...@inguza.com o...@debian.org |
> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> ---------------------------------------------------------------
>
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
| o...@inguza.com o...@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
