Bug#699284: marked as done (unblock: drupal7/7.14-1.3)

Debian Bug Tracking System Tue, 29 Jan 2013 13:00:29 -0800

Your message dated Tue, 29 Jan 2013 20:58:09 +0000
with message-id <[email protected]>
and subject line Re: Bug#699284: unblock: drupal7/7.14-1.3
has caused the Debian Bug report #699284,
regarding unblock: drupal7/7.14-1.3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
699284: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699284
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Please unblock package drupal7

I have uplaoded drupal7 version 7.14-1.3, closing bug #698334 (Drupal
security advisory SA-CORE-2013-001 - Cross-site scripting, Access
bypass)

You will notice I added the missing DEP3 header to the patch for
SA-CORE-2012-004 I uploaded in 7.14-1.2;it should make no functional
difference.

Thanks,

unblock drupal7/7.14-1.3

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru drupal7-7.14/debian/changelog drupal7-7.14/debian/changelog
--- drupal7-7.14/debian/changelog	2013-01-11 17:58:46.000000000 -0600
+++ drupal7-7.14/debian/changelog	2013-01-29 12:22:30.000000000 -0600
@@ -1,3 +1,12 @@
+drupal7 (7.14-1.3) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Incorporated the fix for SA-CORE-2013-001 (the full diff between 7.18
+    and 7.19) (Closes: #698334)
+  * Added the missing DEP3 header to the patch introduced in 7.14-1.2
+
+ -- Gunnar Wolf <[email protected]>  Tue, 29 Jan 2013 12:21:13 -0600
+
 drupal7 (7.14-1.2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru drupal7-7.14/debian/patches/50_SA-CORE-2012-004 drupal7-7.14/debian/patches/50_SA-CORE-2012-004
--- drupal7-7.14/debian/patches/50_SA-CORE-2012-004	2013-01-11 17:56:43.000000000 -0600
+++ drupal7-7.14/debian/patches/50_SA-CORE-2012-004	2013-01-29 12:20:44.000000000 -0600
@@ -1,3 +1,15 @@
+Origin: backport (diff between 7.18 and 7.19)
+Forwarded: not-needed
+From: Gunnar Wolf <[email protected]>
+Last-Update: 2013-01-11
+Applied-Upstream: Yes
+Description: Fixes SA_CORE-2012-004 (Access bypass, arbitrary code execution)
+ This patch is taken from the diff between 7.17 and 7.18, applying it
+ to the currently frozen version (7.14). For further details, the
+ advisory is in:
+ .
+ http://drupal.org/SA-CORE-2012-004
+
 Index: drupal7-7.14/includes/file.inc
 ===================================================================
 --- drupal7-7.14.orig/includes/file.inc	2012-05-02 17:10:42.000000000 -0500
diff -Nru drupal7-7.14/debian/patches/60_SA-CORE-2013-001 drupal7-7.14/debian/patches/60_SA-CORE-2013-001
--- drupal7-7.14/debian/patches/60_SA-CORE-2013-001	1969-12-31 18:00:00.000000000 -0600
+++ drupal7-7.14/debian/patches/60_SA-CORE-2013-001	2013-01-29 12:19:10.000000000 -0600
@@ -0,0 +1,127 @@
+Origin: backport (diff between 7.18 and 7.19)
+Forwarded: not-needed
+From: Gunnar Wolf <[email protected]>
+Last-Update: 2013-01-29
+Applied-Upstream: Yes
+Description: Fixes SA_CORE-2013-001 (Cross-site scripting, Access bypass)
+ This patch is taken from the diff between 7.18 and 7.19, applying it
+ to the currently frozen version (7.14). For further details, the
+ advisory is in:
+ .
+ http://drupal.org/SA-CORE-2013-001
+
+Index: drupal7-7.14/misc/collapse.js
+===================================================================
+--- drupal7-7.14.orig/misc/collapse.js	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/misc/collapse.js	2013-01-29 12:15:58.000000000 -0600
+@@ -58,9 +58,9 @@
+     $('fieldset.collapsible', context).once('collapse', function () {
+       var $fieldset = $(this);
+       // Expand fieldset if there are errors inside, or if it contains an
+-      // element that is targeted by the uri fragment identifier. 
++      // element that is targeted by the uri fragment identifier.
+       var anchor = location.hash && location.hash != '#' ? ', ' + location.hash : '';
+-      if ($('.error' + anchor, $fieldset).length) {
++      if ($fieldset.find('.error' + anchor).length) {
+         $fieldset.removeClass('collapsed');
+       }
+ 
+Index: drupal7-7.14/misc/drupal.js
+===================================================================
+--- drupal7-7.14.orig/misc/drupal.js	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/misc/drupal.js	2013-01-29 12:14:56.000000000 -0600
+@@ -7,6 +7,27 @@
+ (function ($) {
+ 
+ /**
++ * Override jQuery.fn.init to guard against XSS attacks.
++ *
++ * See http://bugs.jquery.com/ticket/9521
++ */
++var jquery_init = $.fn.init;
++$.fn.init = function (selector, context, rootjQuery) {
++  // If the string contains a "#" before a "<", treat it as invalid HTML.
++  if (selector && typeof selector === 'string') {
++    var hash_position = selector.indexOf('#');
++    if (hash_position >= 0) {
++      var bracket_position = selector.indexOf('<');
++      if (bracket_position > hash_position) {
++        throw 'Syntax error, unrecognized expression: ' + selector;
++      }
++    }
++  }
++  return jquery_init.call(this, selector, context, rootjQuery);
++};
++$.fn.init.prototype = jquery_init.prototype;
++
++/**
+  * Attach all registered behaviors to a page element.
+  *
+  * Behaviors are event-triggered actions that attach to page elements, enhancing
+Index: drupal7-7.14/misc/vertical-tabs.js
+===================================================================
+--- drupal7-7.14.orig/misc/vertical-tabs.js	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/misc/vertical-tabs.js	2013-01-29 12:14:56.000000000 -0600
+@@ -50,8 +50,8 @@
+       if (!tab_focus) {
+         // If the current URL has a fragment and one of the tabs contains an
+         // element that matches the URL fragment, activate that tab.
+-        if (window.location.hash && $(window.location.hash, this).length) {
+-          tab_focus = $(window.location.hash, this).closest('.vertical-tabs-pane');
++        if (window.location.hash && $(this).find(window.location.hash).length) {
++          tab_focus = $(this).find(window.location.hash).closest('.vertical-tabs-pane');
+         }
+         else {
+           tab_focus = $('> .vertical-tabs-pane:first', this);
+Index: drupal7-7.14/modules/book/book.pages.inc
+===================================================================
+--- drupal7-7.14.orig/modules/book/book.pages.inc	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/book/book.pages.inc	2013-01-29 12:14:56.000000000 -0600
+@@ -38,6 +38,15 @@
+  *   format determined by the $type parameter.
+  */
+ function book_export($type, $nid) {
++  // Check that the node exists and that the current user has access to it.
++  $node = node_load($nid);
++  if (!$node) {
++    return MENU_NOT_FOUND;
++  }
++  if (!node_access('view', $node)) {
++    return MENU_ACCESS_DENIED;
++  }
++
+   $type = drupal_strtolower($type);
+ 
+   $export_function = 'book_export_' . $type;
+Index: drupal7-7.14/modules/book/book.test
+===================================================================
+--- drupal7-7.14.orig/modules/book/book.test	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/book/book.test	2013-01-29 12:14:56.000000000 -0600
+@@ -258,6 +258,13 @@
+     // Try getting the URL directly, and verify it fails.
+     $this->drupalGet('book/export/html/' . $this->book->nid);
+     $this->assertResponse('403', t('Anonymous user properly forbidden.'));
++
++    // Now grant anonymous users permission to view the printer-friendly
++    // version and verify that node access restrictions still prevent them from
++    // seeing it.
++    user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array('access printer-friendly version'));
++    $this->drupalGet('book/export/html/' . $this->book->nid);
++    $this->assertResponse('403', 'Anonymous user properly forbidden from seeing the printer-friendly version when denied by node access.');
+   }
+ 
+   /**
+Index: drupal7-7.14/modules/image/image.module
+===================================================================
+--- drupal7-7.14.orig/modules/image/image.module	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/image/image.module	2013-01-29 12:14:56.000000000 -0600
+@@ -292,7 +292,8 @@
+     if ($info = image_get_info($uri)) {
+       // Check the permissions of the original to grant access to this image.
+       $headers = module_invoke_all('file_download', $original_uri);
+-      if (!in_array(-1, $headers)) {
++      // Confirm there's at least one module granting access and none denying access.
++      if (!empty($headers) && !in_array(-1, $headers)) {
+         return array(
+           // Send headers describing the image's size, and MIME-type...
+           'Content-Type' => $info['mime_type'],
diff -Nru drupal7-7.14/debian/patches/series drupal7-7.14/debian/patches/series
--- drupal7-7.14/debian/patches/series	2013-01-11 17:47:21.000000000 -0600
+++ drupal7-7.14/debian/patches/series	2013-01-29 12:14:19.000000000 -0600
@@ -2,3 +2,4 @@
 30_DFSG-sources.patch
 40_SA-CORE-2012-003
 50_SA-CORE-2012-004
+60_SA-CORE-2013-001

--- End Message ---

--- Begin Message ---

On Tue, 2013-01-29 at 12:37 -0600, Gunnar Wolf wrote:
> I have uplaoded drupal7 version 7.14-1.3, closing bug #698334 (Drupal
> security advisory SA-CORE-2013-001 - Cross-site scripting, Access
> bypass)

Unblocked; thanks.

Regards,

Adam

--- End Message ---

Bug#699284: marked as done (unblock: drupal7/7.14-1.3)

Reply via email to