[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2020-36193 php-pear vs drupal7

Hello Ola, Salvatore, Chris et. al.!

Ola Lundqvist dijo [Mon, Mar 08, 2021 at 11:51:35PM +0100]:
> Hi Salvatore, Gunnar, all
> 
> When looking further into this issue I do not think drupal7 is completely
> fixed.
> The durpal 7 package include the following fix:
> +                        if (strpos(realpath(dirname($v_header['link'])),
> realpath($p_path)) !== 0) {
> 
> But it is missing the depth check
> https://github.com/pear/Archive_Tar/commit/b6da5c32254162fa0752616479fb3d3c5297c1cf
> 
> Or is it something that makes that depth check unnecessary?
> 
> I'm asking since I'm looking into the php-pear fix and it should be very
> similar to the drupal 7 fix.

Umh... Did you consider the following patch?

    https://salsa.debian.org/debian/drupal7/-/blob/stretch/debian/patches/SA-CORE-2021-001

I understand, but will admit that I didn't dig deep at all, that the
Drupal7 team considers this as fixed WRT CVE-2020-36193. But, of
course, my handling of this issue was basically only backporting the
(very simple) diff in question from their 7.78 to our 7.52.

Greetings,
Reply to: