Hi Salvatore, On 28-09-2019 23:41, Salvatore Bonaccorso wrote: >> So I believe the affected code was only introduced then. > > I tried to get an idea here, but still I'm not sure 100%. Isn't for > instance the is_graph_allowed check missing in e.g. graph_xport.php, > so before accessing the graph_info, there is no check for if the user > is allowed to access the graph. For other parts this is done in > 0.8.8h. > > When in doupt, I rather would prefer to "wrongly" mark something as > affected rather than triage it as not-affected, and later to be turned > wrong. > > Although the CVE assignment is somehow specific to the graph_json.php > part, which is not present in 0.8.8h I'm raising still the above, as > upstream has at least decided to cover the other changes for > permission checks in the two related commits. > > Is upstream available to check and to confirm the stretch version is > not affected despite the potential missing permission checks there?
I already noted on IRC the other day that I think the pre 1 code is affected as well. So I agree with your assessment. Paul
signature.asc
Description: OpenPGP digital signature
