upload drupal7

To: Debian LTS <debian-lts@lists.debian.org>
Subject: upload drupal7
From: Abhijith PA <abhijith@disroot.org>
Date: Thu, 26 Apr 2018 08:24:04 +0530
Message-id: <[🔎] 7b1612ac-4b55-45b5-f0ea-5bbaea21370f@disroot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello.

I have prepared LTS security update for drupal7[1] . Debdiff is
attached. Please review and upload. I tested it on a clean wheezy vm

[1]https://mentors.debian.net/debian/pool/main/d/drupal7/drupal7_7.14-2+
deb7u19.dsc


- --abhijith
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlrhP0sACgkQhj1N8u2c
KO+NMQ//VBcmJujC7v/iVzXcWBSg9cailAFOJ5lC8VCkpjN9Vb5RrO1wOqbVGAux
6vh2gFQe0jdL2mYoUT88mI9Bep/8ZyhNRrllL+gZun/3JZ/FFyd5hpO8+1Q/II0I
m8Zm+A1wkBq0MkV6Uv7+QdlyL8mzONTMhfB9VZOHMvOdqUfnWRvfuvjuJ8bCkUGd
blmplnmZIK0F1c2sZh6o6pZpR0X3ffmiYJdQL4Wg9vuRqZzE+erbmofXqj6rp6nx
TEvI3e/hvblhWRB75iwhcZEbGb3C1VWyhIfaZs9z780VnFUf35ZALDcXM+xokmfu
/Ks3XiJlBGkUOKsCHVXUWgF/M6TJm8ucpQpE2d2PQBl/Z8NC1vUVEGxO3CohHV9s
NbWxM/IRyN6+neXuHvj7J/NcQJa7BaOVkQuoruaaYM3wzlAmoCT+LvXQNarEyWT0
y/AC15kG0cC7sFTq9niwZl1jP7v0HkbMsbfL7SPnkQ7qg1ZVrPDh9QnJE7LaqWzH
xjBLltKMpKJB9QHMhp/O62DBRLmH9uST3glJLBAT0DtfqpF3S4nXFBdMcengF55f
cIw4bZBypTLROZnsAYBrGO5FZy2ImLatq12oqPDrZ8rtP5YeaeD22zrA5VTNOxK5
vWczPgvZfmeDIiv1Oj0OknFQw9jodpyQBJFwuT0g2UgAnxJH/Os=
=vpjB
-----END PGP SIGNATURE-----

diff -Nru drupal7-7.14/debian/changelog drupal7-7.14/debian/changelog
--- drupal7-7.14/debian/changelog	2018-03-29 02:17:59.000000000 +0530
+++ drupal7-7.14/debian/changelog	2018-04-26 03:14:26.000000000 +0530
@@ -1,3 +1,13 @@
+drupal7 (7.14-2+deb7u19) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS team.
+  * Fix CVE-2018-7602: A remote code execution vulnerability exists within 
+    multiple subsystems of Drupal 7.x and 8.x. This potentially allows 
+    attackers to exploit multiple attack vectors on a Drupal site, 
+    which could result in the site being compromised.
+
+ -- Abhijith PA <abhijith@disroot.org>  Thu, 26 Apr 2018 03:14:26 +0530
+
 drupal7 (7.14-2+deb7u18) wheezy-security; urgency=high
 
   * Non-maintainer upload by the LTS team.
diff -Nru drupal7-7.14/debian/patches/CVE-2018-7602.patch drupal7-7.14/debian/patches/CVE-2018-7602.patch
--- drupal7-7.14/debian/patches/CVE-2018-7602.patch	1970-01-01 05:30:00.000000000 +0530
+++ drupal7-7.14/debian/patches/CVE-2018-7602.patch	2018-04-26 03:13:01.000000000 +0530
@@ -0,0 +1,91 @@
+Description: CVE-2018-7602
+ A remote code execution vulnerability exists within multiple subsystems of 
+ Drupal. This potentially allows attackers to exploit multiple attack vectors on
+ a Drupal site, which could result in the site being compromised.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: http://cgit.drupalcode.org/drupal/commit/?h=7.x&id=080daa38f265ea28444c540832509a48861587d0
+Bug-Debian: https://bugs.debian.org/896701
+Last-Update: 2018-04-25
+
+--- drupal7-7.14.orig/includes/bootstrap.inc
++++ drupal7-7.14/includes/bootstrap.inc
+@@ -2458,6 +2458,11 @@ function _drupal_bootstrap_variables() {
+       unset($_GET['destination']);
+       unset($_REQUEST['destination']);
+     }
++    // Use the DrupalRequestSanitizer to ensure that the destination's query
++    // parameters are not dangerous.
++    if (isset($_GET['destination'])) {
++      DrupalRequestSanitizer::cleanDestination();
++    }
+     // If there's still something in $_REQUEST['destination'] that didn't come
+     // from $_GET, check it too.
+     if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && url_is_external($_REQUEST['destination'])) {
+--- drupal7-7.14.orig/includes/common.inc
++++ drupal7-7.14/includes/common.inc
+@@ -601,8 +601,9 @@ function drupal_parse_url($url) {
+   }
+   // The 'q' parameter contains the path of the current page if clean URLs are
+   // disabled. It overrides the 'path' of the URL when present, even if clean
+-  // URLs are enabled, due to how Apache rewriting rules work.
+-  if (isset($options['query']['q'])) {
++  // URLs are enabled, due to how Apache rewriting rules work. The path
++  // parameter must be a string.
++  if (isset($options['query']['q']) && is_string($options['query']['q'])) {
+     $options['path'] = $options['query']['q'];
+     unset($options['query']['q']);
+   }
+--- drupal7-7.14.orig/includes/request-sanitizer.inc
++++ drupal7-7.14/includes/request-sanitizer.inc
+@@ -52,6 +52,38 @@ class DrupalRequestSanitizer {
+   }
+ 
+   /**
++   * Removes the destination if it is dangerous.
++   *
++   * Note this can only be called after common.inc has been included.
++   *
++   * @return bool
++   *   TRUE if the destination has been removed from $_GET, FALSE if not.
++   */
++  public static function cleanDestination() {
++    $dangerous_keys = array();
++    $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
++
++    $parts = drupal_parse_url($_GET['destination']);
++    // If there is a query string, check its query parameters.
++    if (!empty($parts['query'])) {
++      $whitelist = variable_get('sanitize_input_whitelist', array());
++
++      self::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys);
++      if (!empty($dangerous_keys)) {
++        // The destination is removed rather than sanitized to mirror the
++        // handling of external destinations.
++        unset($_GET['destination']);
++        unset($_REQUEST['destination']);
++        if ($log_sanitized_keys) {
++          trigger_error(format_string('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: @keys', array('@keys' => implode(', ', $dangerous_keys))));
++        }
++        return TRUE;
++      }
++    }
++    return FALSE;
++  }
++
++  /**
+    * Strips dangerous keys from the provided input.
+    *
+    * @param mixed $input
+--- drupal7-7.14.orig/modules/file/file.module
++++ drupal7-7.14/modules/file/file.module
+@@ -239,6 +239,9 @@ function file_ajax_upload() {
+   $form_parents = func_get_args();
+   $form_build_id = (string) array_pop($form_parents);
+ 
++    // Sanitize form parents before using them.
++  $form_parents = array_filter($form_parents, 'element_child');
++
+   if (empty($_POST['form_build_id']) || $form_build_id != $_POST['form_build_id']) {
+     // Invalid request.
+     drupal_set_message(t('An unrecoverable error occurred. The uploaded file likely exceeded the maximum file size (@size) that this server supports.', array('@size' => format_size(file_upload_max_size()))), 'error');
diff -Nru drupal7-7.14/debian/patches/series drupal7-7.14/debian/patches/series
--- drupal7-7.14/debian/patches/series	2018-03-29 02:17:59.000000000 +0530
+++ drupal7-7.14/debian/patches/series	2018-04-26 03:14:26.000000000 +0530
@@ -23,3 +23,4 @@
 SA-CORE-2017-003
 SA-CORE-2018-001.patch
 CVE-2018-7600.patch
+CVE-2018-7602.patch

Reply to:

Follow-Ups:
- Re: upload drupal7
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Re: libvorbis request for comments
Next by Date: Re: upload drupal7
Previous by thread: Re: linux backport in jessie LTS
Next by thread: Re: upload drupal7
Index(es):
- Date
- Thread