Re: CVE-2020-36193 php-pear vs drupal7

To: Chris Lamb <lamby@debian.org>, Ola Lundqvist <ola@inguza.com>
Cc: Debian LTS <debian-lts@lists.debian.org>, Gunnar Wolf <gwolf@debian.org>
Subject: Re: CVE-2020-36193 php-pear vs drupal7
From: Emilio Pozuelo Monfort <pochu27@gmail.com>
Date: Thu, 25 Feb 2021 10:36:39 +0100
Message-id: <[🔎] b544191f-73fc-71cd-e557-ee3469fdfc6a@gmail.com>
In-reply-to: <[🔎] 7ae1f4a8-175d-420b-b3ae-6b79248a1291@www.fastmail.com>
References: <[🔎] CABY6=0nOOt2o4JPRdaRBVCNQFYo2XA+YGp5du=_XR5iZep-=2w@mail.gmail.com> <[🔎] 7ae1f4a8-175d-420b-b3ae-6b79248a1291@www.fastmail.com>

On 25/02/2021 10:09, Chris Lamb wrote:

Morning Ola,

Today I looked at CVE-2020-36193 since we have php-pear in dla-needed.
Ths thing is that this CVE tells that drupal7 is also vulnerable but
drupal7 is not in dla-needed.txt.


It may be that drupal7 was not marked as being vulnerable to
CVE-2020-36193 at the time of triage. After all, the code copy of
Tar.php (in "system.tar.inc") is very slightly hidden. I would go
ahead and add drupal7 as well -- a very quick glance suggests that it
is, indeed, vulnerable.

Also please coordinate with drupal7's maintainer (in Cc), who has been takingcare of the package in stretch.


Thanks,
Emilio

Reply to:

References:
- CVE-2020-36193 php-pear vs drupal7
  - From: Ola Lundqvist <ola@inguza.com>
- Re: CVE-2020-36193 php-pear vs drupal7
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: Re: CVE-2020-36193 php-pear vs drupal7
Next by Date: Tracking related source packages
Previous by thread: Re: CVE-2020-36193 php-pear vs drupal7
Next by thread: Tracking related source packages
Index(es):
- Date
- Thread