Hi Paul, On Tue, Sep 24, 2019 at 09:02:58PM +0200, Paul Gevers wrote: > Hi, > > Although not 100% sure yet, I seriously doubt that old stable is > affected as version 1.0.0 has this: > > -feature: New Graph Permissions system designed to make permissions > simple to manage > > So I believe the affected code was only introduced then.
I tried to get an idea here, but still I'm not sure 100%. Isn't for instance the is_graph_allowed check missing in e.g. graph_xport.php, so before accessing the graph_info, there is no check for if the user is allowed to access the graph. For other parts this is done in 0.8.8h. When in doupt, I rather would prefer to "wrongly" mark something as affected rather than triage it as not-affected, and later to be turned wrong. Although the CVE assignment is somehow specific to the graph_json.php part, which is not present in 0.8.8h I'm raising still the above, as upstream has at least decided to cover the other changes for permission checks in the two related commits. Is upstream available to check and to confirm the stretch version is not affected despite the potential missing permission checks there? Regards, Salvatore
