Your message dated Fri, 11 Jan 2013 18:03:10 -0600
with message-id <20130112000310.gb...@gwolf.org>
and subject line Re: [drupal7] SA-CORE-2012-004 - Drupal core - Multiple
vulnerabilities in Drupal 6 & 7
has caused the Debian Bug report #696342,
regarding [drupal7] SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities
in Drupal 6 & 7
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
696342: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696342
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: drupal7
Version: 7.14-1.1
Severity: critical
Tags: security
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
--- Please enter the report below this line. ---
Hi!
There's a security update for Drupal6 and Drupal7 available. Please
include the patch for not question the Drupal Server about new version
available this time, otherwise the users will be prompted by a wrong
security warning, which is already solved. Thanks!
http://drupal.org/SA-CORE-2012-004
Multiple vulnerabilities were fixed in the supported Drupal core
versions 6 and 7.
Access bypass (User module search - Drupal 6 and 7)
A vulnerability was identified that allows blocked users to appear in
user search results, even when the search results are viewed by
unprivileged users.
This vulnerability is mitigated by the fact that the default Drupal core
user search results only display usernames (and disclosure of usernames
is not considered a security vulnerability). However, since modules or
themes may override the search results to display more information from
each user's profile, this could result in additional information about
blocked users being disclosed on some sites.
CVE: Requested.
Access bypass (Upload module - Drupal 6)
A vulnerability was identified that allows information about uploaded
files to be displayed in RSS feeds and search results to users that do
not have the "view uploaded files" permission.
This issue affects Drupal 6 only.
CVE: Requested.
Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)
Drupal core's file upload feature blocks the upload of many files that
can be executed on the server by munging the filename. A malicious user
could name a file in a manner that bypasses this munging of the filename
in Drupal's input validation.
This vulnerability is mitigated by several factors: The attacker would
need the permission to upload a file to the server. Certain combinations
of PHP and filesystems are not vulnerable to this issue, though we did
not perform an exhaustive review of the supported PHP versions. Finally:
the server would need to allow execution of files in the uploads
directory. Drupal core has protected against this with a .htaccess file
protection in place from SA-2006-006 - Drupal Core - Execution of
arbitrary files in certain Apache configurations. Users of IIS should
consider updating their web.config. Users of Nginx should confirm that
only the index.php and other known good scripts are executable. Users of
other webservers should review their configuration to ensure the goals
are achieved in some other way.
CVE: Requested.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in
accordance with Drupal Security Team processes.
Versions affected
Drupal core 6.x versions prior to 6.27.
Drupal core 7.x versions prior to 7.18.
Solution
Install the latest version:
If you use Drupal 6.x, upgrade to Drupal core 6.27.
If you use Drupal 7.x, upgrade to Drupal core 7.18.
--- System information. ---
Architecture: amd64
Kernel: Linux 3.2.0-4-amd64
Debian Release: 7.0
500 unstable www.deb-multimedia.org
500 unstable ftp.de.debian.org
1 experimental ftp.de.debian.org
--- Package information. ---
Depends (Version) | Installed
====================================-+-============
debconf (>= 0.5) | 1.5.48
OR debconf-2.0 |
apache2 | 2.2.22-12
OR httpd |
php5 | 5.4.4-10
php5-mysql | 5.4.4-10
OR php5-pgsql | 5.4.4-10
php5-gd | 5.4.4-10
default-mta |
OR mail-transport-agent |
wwwconfig-common (>= 0.0.37) | 0.2.2
mysql-client | 5.5.28+dfsg-1
OR virtual-mysql-client |
OR postgresql-client | 9.1+134wheezy2
dbconfig-common | 1.8.47+nmu1
curl | 7.28.0-3
Recommends (Version) | Installed
===========================-+-===========
mysql-server | 5.5.28+dfsg-1
OR postgresql | 9.1+134wheezy2
Package's Suggests field is empty.
--
Ciao... // Fon: 0381-2744150
Ingo \X/ http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc
--- End Message ---
--- Begin Message ---
Hi,
I have backported the diff between 7.17 and 7.18 and uploaded it as a
NMU (7.14-1.2). I will now contact the release team requesting a
freeze exception. I'm attaching a debdiff to this mail.
Greetings,
diff -Nru drupal7-7.14/debian/changelog drupal7-7.14/debian/changelog
--- drupal7-7.14/debian/changelog 2012-10-19 13:09:14.000000000 -0500
+++ drupal7-7.14/debian/changelog 2013-01-11 17:58:46.000000000 -0600
@@ -1,3 +1,11 @@
+drupal7 (7.14-1.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Incorporated the fix for SA-CORE-2012-004 (the full diff between
+ 7.17 and 7.18)
+
+ -- Gunnar Wolf <gw...@debian.org> Fri, 11 Jan 2013 17:57:47 -0600
+
drupal7 (7.14-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru drupal7-7.14/debian/patches/50_SA-CORE-2012-004
drupal7-7.14/debian/patches/50_SA-CORE-2012-004
--- drupal7-7.14/debian/patches/50_SA-CORE-2012-004 1969-12-31
18:00:00.000000000 -0600
+++ drupal7-7.14/debian/patches/50_SA-CORE-2012-004 2013-01-11
17:56:43.000000000 -0600
@@ -0,0 +1,83 @@
+Index: drupal7-7.14/includes/file.inc
+===================================================================
+--- drupal7-7.14.orig/includes/file.inc 2012-05-02 17:10:42.000000000
-0500
++++ drupal7-7.14/includes/file.inc 2013-01-11 17:49:01.000000000 -0600
+@@ -1113,6 +1113,9 @@
+
+ // Allow potentially insecure uploads for very savvy users and admin
+ if (!variable_get('allow_insecure_uploads', 0)) {
++ // Remove any null bytes. See
http://php.net/manual/en/security.filesystem.nullbytes.php
++ $filename = str_replace(chr(0), '', $filename);
++
+ $whitelist = array_unique(explode(' ', trim($extensions)));
+
+ // Split the filename up by periods. The first part becomes the basename
+Index: drupal7-7.14/modules/user/user.test
+===================================================================
+--- drupal7-7.14.orig/modules/user/user.test 2012-05-02 17:10:42.000000000
-0500
++++ drupal7-7.14/modules/user/user.test 2013-01-11 17:50:51.000000000
-0600
+@@ -2020,7 +2020,7 @@
+ public static function getInfo() {
+ return array(
+ 'name' => 'User search',
+- 'description' => 'Testing that only user with the right permission can
see the email address in the user search.',
++ 'description' => 'Tests the user search page and verifies that
sensitive information is hidden from unauthorized users.',
+ 'group' => 'User',
+ );
+ }
+@@ -2040,11 +2040,29 @@
+ $edit = array('keys' => $keys);
+ $this->drupalPost('search/user/', $edit, t('Search'));
+ $this->assertText($keys);
++
++ // Create a blocked user.
++ $blocked_user = $this->drupalCreateUser();
++ $edit = array('status' => 0);
++ $blocked_user = user_save($blocked_user, $edit);
++
++ // Verify that users with "administer users" permissions can see blocked
++ // accounts in search results.
++ $edit = array('keys' => $blocked_user->name);
++ $this->drupalPost('search/user/', $edit, t('Search'));
++ $this->assertText($blocked_user->name, 'Blocked users are listed on the
user search results for users with the "administer users" permission.');
++
++ // Verify that users without "administer users" permissions do not see
++ // blocked accounts in search results.
++ $this->drupalLogin($user1);
++ $edit = array('keys' => $blocked_user->name);
++ $this->drupalPost('search/user/', $edit, t('Search'));
++ $this->assertNoText($blocked_user->name, 'Blocked users are hidden from
the user search results.');
++
+ $this->drupalLogout();
+ }
+ }
+
+-
+ /**
+ * Test role assignment.
+ */
+Index: drupal7-7.14/modules/user/user.module
+===================================================================
+--- drupal7-7.14.orig/modules/user/user.module 2013-01-11 17:56:26.000000000
-0600
++++ drupal7-7.14/modules/user/user.module 2013-01-11 17:56:39.000000000
-0600
+@@ -924,14 +924,18 @@
+ $query = db_select('users')->extend('PagerDefault');
+ $query->fields('users', array('uid'));
+ if (user_access('administer users')) {
+- // Administrators can also search in the otherwise private email field.
++ // Administrators can also search in the otherwise private email field,
++ // and they don't need to be restricted to only active users.
+ $query->fields('users', array('mail'));
+ $query->condition(db_or()->
+ condition('name', '%' . db_like($keys) . '%', 'LIKE')->
+ condition('mail', '%' . db_like($keys) . '%', 'LIKE'));
+ }
+ else {
+- $query->condition('name', '%' . db_like($keys) . '%', 'LIKE');
++ // Regular users can only search via usernames, and we do not show them
++ // blocked accounts.
++ $query->condition('name', '%' . db_like($keys) . '%', 'LIKE')
++ ->condition('status', 1);
+ }
+ $uids = $query
+ ->limit(15)
diff -Nru drupal7-7.14/debian/patches/series drupal7-7.14/debian/patches/series
--- drupal7-7.14/debian/patches/series 2012-10-19 13:14:34.000000000 -0500
+++ drupal7-7.14/debian/patches/series 2013-01-11 17:47:21.000000000 -0600
@@ -1,3 +1,4 @@
10_cronjob.patch
30_DFSG-sources.patch
40_SA-CORE-2012-003
+50_SA-CORE-2012-004
signature.asc
Description: Digital signature
--- End Message ---
