Hi Gunnar, all
See below.
On Tue, 9 Mar 2021 at 05:11, Gunnar Wolf <gw...@debian.org> wrote:
> Hello Ola, Salvatore, Chris et. al.!
>
> Ola Lundqvist dijo [Mon, Mar 08, 2021 at 11:51:35PM +0100]:
> > Hi Salvatore, Gunnar, all
> >
> > When looking further into this issue I do not think drupal7 is completely
> > fixed.
> > The durpal 7 package include the following fix:
> > + if (strpos(realpath(dirname($v_header['link'])),
> > realpath($p_path)) !== 0) {
> >
> > But it is missing the depth check
> >
> https://github.com/pear/Archive_Tar/commit/b6da5c32254162fa0752616479fb3d3c5297c1cf
> >
> > Or is it something that makes that depth check unnecessary?
> >
> > I'm asking since I'm looking into the php-pear fix and it should be very
> > similar to the drupal 7 fix.
>
> Umh... Did you consider the following patch?
>
>
> https://salsa.debian.org/debian/drupal7/-/blob/stretch/debian/patches/SA-CORE-2021-001
>
>
Yes, that is the "if (strpos(..." fix I was referring to below.
This is needed, but for php-pear there is also the fix to check for
multiple ../.. as protection mentioned as part of this CVE. This is not
included in the Drupal fix you mention and then obviously not in the
uploaded package either.
To me it looks like we have one more flaw to fix in Drupal. The question is
whether it should be handled as part of this CVE, or if we should consider
requesting a new CVE for it.
> I understand, but will admit that I didn't dig deep at all, that the
> Drupal7 team considers this as fixed WRT CVE-2020-36193. But, of
> course, my handling of this issue was basically only backporting the
> (very simple) diff in question from their 7.78 to our 7.52.
>
I see.
Best regards
// Ola
> Greetings,
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
| o...@inguza.com o...@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
