Hilko Bengen wrote:
Micah Anderson [EMAIL PROTECTED] writes:
The Drupal package is vulnerable to the following to CVE advisories:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3975
Do you intend to have these fixed in Sarge?
I did fix them and contacted the Security Team on Tue, 29 Nov 2005
16:48:27 +0100. However, I'm not aware of having received an answer.
I don't even have your mail. *sigh* Must have fallen through the
cracks.
The packages I intended to upload to stable-security can be found at
http://www.hilluzination.de/stuff/debian/.
Thanks a lot!
I've reviewed them, well, I tried so, but due to the massive changes
it is not exactly possible. However, I have detected a lot of unrelated
changes to some template files, which I have stripped off of the source
package. They are not suited for a security update. I'll build binary
packages from the remaining source. I'm attaching the interdiff against
the last version of Drupal.
Here's the proposed advisory body:
Package: drupal
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE IDs: CVE-2005-3973 CVE-2005-3974CVE-2005-3975
CERT advisory :
BugTraq IDs: 15674 15677 15663
Debian Bug :
Several security related problems have been discovered in drupal, a
fully-featured content management/discussion engine. The Common
Vulnerabilities and Exposures project identifies the following
vulnerabilities:
CVE-2005-3973
Several cross-site scripting vulnerabilities allow remote
attackers to inject arbitrary web script or HTML.
CVE-2005-3974
When running on PHP5, Drupal does not correctly enforce user
privileges, which allows remote attackers to bypass the access
user profiles permission.
CVE-2005-3975
An interpretation conflict allows remote authenticated users to
inject arbitrary web script or HTML via HTML in a file with a GIF
or JPEG file extension.
The old stable distribution (woody) does not contain drupal packages.
For the stable distribution (sarge) these problems have been fixed in
version 4.5.3-5.
For the unstable distribution (sid) these problems have been fixed in
version XX
We recommend that you upgrade your drupal package.
Regards,
Joey
--
Have you ever noticed that General Public Licence contains the word Pub?
Please always Cc to me when replying to me on the lists.
diff -u drupal-4.5.3/debian/changelog drupal-4.5.3/debian/changelog
--- drupal-4.5.3/debian/changelog
+++ drupal-4.5.3/debian/changelog
@@ -1,3 +1,15 @@
+drupal (4.5.3-5) stable-security; urgency=HIGH
+
+ * Maintainer upload for the Security Team
+ * Fixes three security vulnerabilities:
+- DRUPAL-SA-2005-007: Cross-site-scripting vulnerability
+- DRUPAL-SA-2005-008: It was possible to attach files that are able
+ to run Javascript under Internet Explorer.
+- DRUPAL-SA-2005-009: It was possible to bypass the 'access user
+ profile' permission if the server was running PHP5
+
+ -- Hilko Bengen [EMAIL PROTECTED] Wed, 30 Nov 2005 23:23:05 +0100
+
drupal (4.5.3-4) stable-security; urgency=HIGH
* Maintainer upload for the Security Team
diff -u drupal-4.5.3/includes/bootstrap.inc drupal-4.5.3/includes/bootstrap.inc
--- drupal-4.5.3/includes/bootstrap.inc
+++ drupal-4.5.3/includes/bootstrap.inc
@@ -387,15 +387,6 @@
}
/**
- * Return the URI of the referring page.
- */
-function referer_uri() {
- if (isset($_SERVER['HTTP_REFERER'])) {
-return check_url($_SERVER['HTTP_REFERER']);
- }
-}
-
-/**
* Return a component of the current Drupal path.
*
* When viewing a page at the path admin/node/configure, for example, arg(0)
@@ -426,19 +417,6 @@
}
/**
- * Prepare user input for use in a URI.
- *
- * We replace ( and ) with their entity equivalents to prevent XSS attacks.
- */
-function check_url($uri) {
- $uri = htmlspecialchars($uri, ENT_QUOTES);
-
- $uri = strtr($uri, array('(' = '040;', ')' = '041;'));
-
- return $uri;
-}
-
-/**
* Since request_uri() is only available on Apache, we generate an
* equivalent using other environment vars.
*/
@@ -456,7 +434,7 @@
}
}
- return check_url($uri);
+ return $uri;
}
/**
@@ -519,6 +497,13 @@
return $messages;
}
+/**
+ * Encode special characters in a plain-text string for display as HTML.
+ */
+function check_plain($text) {
+ return htmlspecialchars($text, ENT_QUOTES);
+}
+
unset($conf);
$config = conf_init();
diff -u drupal-4.5.3/modules/filter.module drupal-4.5.3/modules/filter.module
--- drupal-4.5.3/modules/filter.module
+++ drupal-4.5.3/modules/filter.module
@@ -14,9 +14,6 @@
define('FILTER_HTML_STRIP', 1);
define('FILTER_HTML_ESCAPE', 2);
-define('FILTER_STYLE_ALLOW', 0);
-define('FILTER_STYLE_STRIP', 1);
-
/**
* Implementation of hook_help().
*/
@@ -56,19 +53,99 @@
function filter_filter_tips($delta, $format, $long = false) {
switch ($delta)