Hello Ola, Salvatore, Chris et. al.!
Ola Lundqvist dijo [Mon, Mar 08, 2021 at 11:51:35PM +0100]:
> Hi Salvatore, Gunnar, all
>
> When looking further into this issue I do not think drupal7 is completely
> fixed.
> The durpal 7 package include the following fix:
> + if (strpos(realpath(dirname($v_header['link'])),
> realpath($p_path)) !== 0) {
>
> But it is missing the depth check
> https://github.com/pear/Archive_Tar/commit/b6da5c32254162fa0752616479fb3d3c5297c1cf
>
> Or is it something that makes that depth check unnecessary?
>
> I'm asking since I'm looking into the php-pear fix and it should be very
> similar to the drupal 7 fix.
Umh... Did you consider the following patch?
https://salsa.debian.org/debian/drupal7/-/blob/stretch/debian/patches/SA-CORE-2021-001
Yes, that is the "if (strpos(..." fix I was referring to below.
This is needed, but for php-pear there is also the fix to check for multiple ../.. as protection mentioned as part of this CVE. This is not included in the Drupal fix you mention and then obviously not in the uploaded package either.
To me it looks like we have one more flaw to fix in Drupal. The question is whether it should be handled as part of this CVE, or if we should consider requesting a new CVE for it.
I understand, but will admit that I didn't dig deep at all, that the
Drupal7 team considers this as fixed WRT CVE-2020-36193. But, of
course, my handling of this issue was basically only backporting the
(very simple) diff in question from their 7.78 to our 7.52.
I see.
Best regards
// Ola
Greetings,