[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2020-36193 php-pear vs drupal7



Hi Salvatore, Gunnar, all

When looking further into this issue I do not think drupal7 is completely fixed.
The durpal 7 package include the following fix:
+                        if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {

But it is missing the depth check
https://github.com/pear/Archive_Tar/commit/b6da5c32254162fa0752616479fb3d3c5297c1cf

Or is it something that makes that depth check unnecessary?

I'm asking since I'm looking into the php-pear fix and it should be very similar to the drupal 7 fix.

Cheers

// Ola






On Thu, 25 Feb 2021 at 23:04, Ola Lundqvist <ola@inguza.com> wrote:
Great! Thank you all for the good answers.

// Ola

On Thu, 25 Feb 2021 at 10:53, Salvatore Bonaccorso <carnil@debian.org> wrote:
Hi,

On Thu, Feb 25, 2021 at 09:09:08AM +0000, Chris Lamb wrote:
> Morning Ola,
>
> > Today I looked at CVE-2020-36193 since we have php-pear in dla-needed.
> > Ths thing is that this CVE tells that drupal7 is also vulnerable but
> > drupal7 is not in dla-needed.txt.
>
> It may be that drupal7 was not marked as being vulnerable to
> CVE-2020-36193 at the time of triage. After all, the code copy of
> Tar.php (in "system.tar.inc") is very slightly hidden. I would go
> ahead and add drupal7 as well -- a very quick glance suggests that it
> is, indeed, vulnerable.

The specifc issue was already fixed in drupal7 by Gunnar's upload in
DLA 2530-1.

Regards,
Salvatore


--
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------



--
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------


Reply to: