[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


Drupal7, in Jessie has 3 security issues:

CVE-2020-11022 / CVE-2020-11023 / SA-CORE-2020-002

Vulnerabilities in jquery library.

The Debian drupal7 package comes with jquery 1.4.4

7.27+dfsg-1 the maintainer attempted to use the libjs-jquery
package instead.

7.27+dfsg2-1 - the next release - the above change was reverted due to
"heavy breakage", with a reference to https://bugs.debian.org/699286
which says "Turns out, they have a hard dependency on the 1.4.4

The upstream patch is invasive:


Plus has the commit "There is no patch for 1.x or 2.x, they are no
longer supported and in any case this is a pretty big breaking change,
likely even more so on the browsers supported by those versions.
Patching this would almost surely cause a cascade of failures in code
and plugins that you would need to address."

As such, I am reluctant to want to try to patch the query issues.

CVE-2020-13662 / SA-CORE-2020-003

The upstream patch
is trivial and applies cleanly to the Jessie version.

=== cut ===
--- drupal7-7.32.orig/includes/common.inc
+++ drupal7-7.32/includes/common.inc
@@ -684,7 +684,10 @@
   // We do not allow absolute URLs to be passed via $_GET, as this can be an attack vector.
   if (isset($_GET['destination']) && !url_is_external($_GET['destination'])) {
     $destination = drupal_parse_url($_GET['destination']);
-    $path = $destination['path'];
+    // Double check the path derived by drupal_parse_url() is not external.
+    if (!url_is_external($destination['path'])) {
+      $path = $destination['path'];
+    }
     $options['query'] = $destination['query'];
     $options['fragment'] = $destination['fragment'];
=== cut ===

As such, I am inclined to patch the CVE-2020-13662 / SA-CORE-2020-003
issue, but not touch the jquery issue.

Brian May <brian@linuxpenguins.xyz>

Reply to: