Hello Ola, Salvatore, Chris et. al.!
Ola Lundqvist dijo [Mon, Mar 08, 2021 at 11:51:35PM +0100]:
> Hi Salvatore, Gunnar, all
>
> When looking further into this issue I do not think drupal7 is completely
> fixed.
> The durpal 7 package include the following fix:
> + if (strpos(realpath(dirname($v_header['link'])),
> realpath($p_path)) !== 0) {
>
> But it is missing the depth check
> https://github.com/pear/Archive_Tar/commit/b6da5c32254162fa0752616479fb3d3c5297c1cf
>
> Or is it something that makes that depth check unnecessary?
>
> I'm asking since I'm looking into the php-pear fix and it should be very
> similar to the drupal 7 fix.
Umh... Did you consider the following patch?
https://salsa.debian.org/debian/drupal7/-/blob/stretch/debian/patches/SA-CORE-2021-001
I understand, but will admit that I didn't dig deep at all, that the
Drupal7 team considers this as fixed WRT CVE-2020-36193. But, of
course, my handling of this issue was basically only backporting the
(very simple) diff in question from their 7.78 to our 7.52.
Greetings,
