From 5d5bcc25eae94f324ecaf48e254371a4efe8973b Mon Sep 17 00:00:00 2001 From: John Rearick Date: Wed, 20 Jan 2021 13:01:40 -0600 Subject: [PATCH 1/3] LUGG-1222 Drupal 7.78 SA-CORE-2021-001 --- CHANGELOG.txt | 5 +++++ includes/bootstrap.inc | 2 +- modules/system/system.tar.inc | 8 ++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 2c3b93c64..f9b010c58 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,8 @@ +Drupal 7.78, 2021-01-19 +----------------------- +- Fixed security issues: + - SA-CORE-2021-001 + Drupal 7.77, 2020-12-03 ----------------------- - Hotfix for schema.prefixed tables diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 87c1fdca2..2b6d7ff48 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '7.77'); +define('VERSION', '7.78'); /** * Core API compatibility. diff --git a/modules/system/system.tar.inc b/modules/system/system.tar.inc index 92fa52908..0af6275b4 100644 --- a/modules/system/system.tar.inc +++ b/modules/system/system.tar.inc @@ -2178,6 +2178,14 @@ class Archive_Tar } } } elseif ($v_header['typeflag'] == "2") { + if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) { + $this->_error( + 'Out-of-path file extraction {' + . $v_header['filename'] . ' --> ' . + $v_header['link'] . '}' + ); + return false; + } if (!$p_symlinks) { $this->_warning('Symbolic links are not allowed. ' . 'Unable to extract {' From b044dae7fb5b47fe165b6f74f0f028c323c19ade Mon Sep 17 00:00:00 2001 From: John Rearick Date: Wed, 20 Jan 2021 13:03:52 -0600 Subject: [PATCH 2/3] LUGG-1222 update luggage version --- LUGGAGE_CHANGELOG.txt | 5 +++++ LUGGAGE_VERSION.php | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/LUGGAGE_CHANGELOG.txt b/LUGGAGE_CHANGELOG.txt index 75867d8e0..b539c6347 100644 --- a/LUGGAGE_CHANGELOG.txt +++ b/LUGGAGE_CHANGELOG.txt @@ -2,6 +2,11 @@ How to read this changelog: The LUGG- prefix refers to JIRA issue numbers; the # prefix refers to GitHub issue numbers. +Luggage 3.6.18, 2021-01-20 +Drupal 7.78, 2021-01-20 +------------------------- +- LUGG-1222 - Drupal 7.78 SA-CORE-2021-001 + Luggage 3.6.17, 2020-12-23 Drupal 7.77, 2020-12-03 ------------------------- diff --git a/LUGGAGE_VERSION.php b/LUGGAGE_VERSION.php index 46027cbb6..221970606 100644 --- a/LUGGAGE_VERSION.php +++ b/LUGGAGE_VERSION.php @@ -1,3 +1,3 @@ Date: Wed, 20 Jan 2021 13:16:52 -0600 Subject: [PATCH 3/3] LUGG-1222 update luggage_isu version --- LUGGAGE_ISU_CHANGELOG.txt | 5 +++++ LUGGAGE_ISU_VERSION.php | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/LUGGAGE_ISU_CHANGELOG.txt b/LUGGAGE_ISU_CHANGELOG.txt index f0245979e..f9f5be677 100644 --- a/LUGGAGE_ISU_CHANGELOG.txt +++ b/LUGGAGE_ISU_CHANGELOG.txt @@ -6,6 +6,11 @@ The Luggage_ISU version number shows the upstream Luggage version it is based on as well as the Luggage_ISU version. For example, Luggage_ISU 3.5.0-5.0 is based on the upstream Luggage release 3.5.0. +Drupal 7.78, 2021-01-20 +------------------------- +Merged with upstream Luggage 3.6.18 +- LUGG-1222 - Drupal 7.78 SA-CORE-2021-001 + Luggage_ISU 3.6.17-6.17. 2020-12-23 Drupal 7.77, 2020-12-03 ------------------------- diff --git a/LUGGAGE_ISU_VERSION.php b/LUGGAGE_ISU_VERSION.php index 5d741b34e..b653ddc26 100644 --- a/LUGGAGE_ISU_VERSION.php +++ b/LUGGAGE_ISU_VERSION.php @@ -1,3 +1,3 @@