904675 – <www-apps/drupal-{7.96,9.4.14,9.5.8,10.0.8}: Drupal core - Moderately critical - Access bypass

Bug 904675 - <www-apps/drupal-{7.96,9.4.14,9.5.8,10.0.8}: Drupal core - Moderately critical - Access bypass

Summary: <www-apps/drupal-{7.96,9.4.14,9.5.8,10.0.8}: Drupal core - Moderately critica...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2023-04-19 18:18 UTC by Viorel Munteanu
Modified:	2023-04-28 03:34 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Viorel Munteanu gentoo-dev

2023-04-19 18:18:49 UTC

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.

https://www.drupal.org/sa-core-2023-005

Comment 1 Larry the Git Cow gentoo-dev

2023-04-19 18:28:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a3057ad05d24d2bf56565d5142ccc67752ba74be

commit a3057ad05d24d2bf56565d5142ccc67752ba74be
Author:     Viorel Munteanu <ceamac@gentoo.org>
AuthorDate: 2023-04-19 18:26:48 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2023-04-19 18:26:48 +0000

    www-apps/drupal: add 10.0.8
    
    Bug: https://bugs.gentoo.org/904675
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 www-apps/drupal/Manifest             |  1 +
 www-apps/drupal/drupal-10.0.8.ebuild | 71 ++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d522625e32346e38b67091115412c3e763f3fe9

commit 8d522625e32346e38b67091115412c3e763f3fe9
Author:     Viorel Munteanu <ceamac@gentoo.org>
AuthorDate: 2023-04-19 18:24:54 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2023-04-19 18:24:54 +0000

    www-apps/drupal: add 9.5.8
    
    Bug: https://bugs.gentoo.org/904675
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 www-apps/drupal/Manifest            |  1 +
 www-apps/drupal/drupal-9.5.8.ebuild | 68 +++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5b0667b97e60bd58b0fc5675e13299ee6d73f16

commit f5b0667b97e60bd58b0fc5675e13299ee6d73f16
Author:     Viorel Munteanu <ceamac@gentoo.org>
AuthorDate: 2023-04-19 18:22:55 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2023-04-19 18:22:55 +0000

    www-apps/drupal: add 9.4.14
    
    Bug: https://bugs.gentoo.org/904675
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 www-apps/drupal/Manifest             |  1 +
 www-apps/drupal/drupal-9.4.14.ebuild | 68 ++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8078184c90f7b94b98734e8a8898d03ed90cb12e

commit 8078184c90f7b94b98734e8a8898d03ed90cb12e
Author:     Viorel Munteanu <ceamac@gentoo.org>
AuthorDate: 2023-04-19 18:19:21 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2023-04-19 18:19:21 +0000

    www-apps/drupal: add 7.96
    
    Bug: https://bugs.gentoo.org/904675
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 www-apps/drupal/Manifest           |  1 +
 www-apps/drupal/drupal-7.96.ebuild | 58 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)

Comment 2 John Helmert III archtester

2023-04-28 03:34:05 UTC

Thanks, all done!