Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 755602 (CVE-2020-13671)

Summary: www-apps/drupal-{7.74,8.8.11,8.9.9,9.0.8}: improper filename sanitization (CVE-2020-13671)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.drupal.org/sa-core-2020-012
Whiteboard: ~1 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2020-11-19 18:43:41 UTC 
CVE-2020-13671 (https://nvd.nist.gov/vuln/detail/CVE-2020-13671):
  Drupal core does not properly sanitize certain filenames on uploaded files,
  which can lead to files being interpreted as the incorrect extension and
  served as the wrong MIME type or executed as PHP for certain hosting
  configurations.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-11-19 18:45:26 UTC 
If you are using Drupal 9.0, update to Drupal 9.0.8
If you are using Drupal 8.9, update to Drupal 8.9.9
If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11
If you are using Drupal 7, update to Drupal 7.74

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Comment 2 Larry the Git Cow gentoo-dev 2020-11-19 19:15:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5a297d26056143660d1db9df545127d2056cbf1

commit c5a297d26056143660d1db9df545127d2056cbf1
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-11-19 19:15:34 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-11-19 19:15:34 +0000

    www-apps/drupal: Security bump (CVE-2020-13671).
    
    Add 7.74, 8.8.11, 8.9.9 and 9.0.8 releases.
    Security issue: SA-CORE-2020-012
    https://www.drupal.org/sa-core-2020-012
    Bug: https://bugs.gentoo.org/755602
    Package-Manager: Portage-3.0.6, Repoman-3.0.1
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/Manifest             |  4 +++
 www-apps/drupal/drupal-7.74.ebuild   | 58 ++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-8.8.11.ebuild | 68 ++++++++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-8.9.9.ebuild  | 68 ++++++++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-9.0.8.ebuild  | 68 ++++++++++++++++++++++++++++++++++++
 5 files changed, 266 insertions(+)
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-11-19 19:25:25 UTC 
Repository is clean, all done!