Re: CVE-2020-36193 php-pear vs drupal7

To: "Ola Lundqvist" <ola@inguza.com>
Cc: "Debian LTS" <debian-lts@lists.debian.org>
Subject: Re: CVE-2020-36193 php-pear vs drupal7
From: "Chris Lamb" <lamby@debian.org>
Date: Thu, 25 Feb 2021 09:09:08 +0000
Message-id: <[🔎] 7ae1f4a8-175d-420b-b3ae-6b79248a1291@www.fastmail.com>
In-reply-to: <[🔎] CABY6=0nOOt2o4JPRdaRBVCNQFYo2XA+YGp5du=_XR5iZep-=2w@mail.gmail.com>
References: <[🔎] CABY6=0nOOt2o4JPRdaRBVCNQFYo2XA+YGp5du=_XR5iZep-=2w@mail.gmail.com>

Morning Ola,

> Today I looked at CVE-2020-36193 since we have php-pear in dla-needed.
> Ths thing is that this CVE tells that drupal7 is also vulnerable but
> drupal7 is not in dla-needed.txt.

It may be that drupal7 was not marked as being vulnerable to
CVE-2020-36193 at the time of triage. After all, the code copy of
Tar.php (in "system.tar.inc") is very slightly hidden. I would go
ahead and add drupal7 as well -- a very quick glance suggests that it
is, indeed, vulnerable.


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Reply to:

Follow-Ups:
- Re: CVE-2020-36193 php-pear vs drupal7
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: CVE-2020-36193 php-pear vs drupal7
  - From: Emilio Pozuelo Monfort <pochu27@gmail.com>

References:
- CVE-2020-36193 php-pear vs drupal7
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: CVE-2020-36193 php-pear vs drupal7
Next by Date: Re: CVE-2020-36193 php-pear vs drupal7
Previous by thread: CVE-2020-36193 php-pear vs drupal7
Next by thread: Re: CVE-2020-36193 php-pear vs drupal7
Index(es):
- Date
- Thread