upload drupal7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello.
I have prepared LTS security update for drupal7[1] . Debdiff is
attached. Please review and upload. I tested it on a clean wheezy vm
[1]https://mentors.debian.net/debian/pool/main/d/drupal7/drupal7_7.14-2+
deb7u19.dsc
- --abhijith
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlrhP0sACgkQhj1N8u2c
KO+NMQ//VBcmJujC7v/iVzXcWBSg9cailAFOJ5lC8VCkpjN9Vb5RrO1wOqbVGAux
6vh2gFQe0jdL2mYoUT88mI9Bep/8ZyhNRrllL+gZun/3JZ/FFyd5hpO8+1Q/II0I
m8Zm+A1wkBq0MkV6Uv7+QdlyL8mzONTMhfB9VZOHMvOdqUfnWRvfuvjuJ8bCkUGd
blmplnmZIK0F1c2sZh6o6pZpR0X3ffmiYJdQL4Wg9vuRqZzE+erbmofXqj6rp6nx
TEvI3e/hvblhWRB75iwhcZEbGb3C1VWyhIfaZs9z780VnFUf35ZALDcXM+xokmfu
/Ks3XiJlBGkUOKsCHVXUWgF/M6TJm8ucpQpE2d2PQBl/Z8NC1vUVEGxO3CohHV9s
NbWxM/IRyN6+neXuHvj7J/NcQJa7BaOVkQuoruaaYM3wzlAmoCT+LvXQNarEyWT0
y/AC15kG0cC7sFTq9niwZl1jP7v0HkbMsbfL7SPnkQ7qg1ZVrPDh9QnJE7LaqWzH
xjBLltKMpKJB9QHMhp/O62DBRLmH9uST3glJLBAT0DtfqpF3S4nXFBdMcengF55f
cIw4bZBypTLROZnsAYBrGO5FZy2ImLatq12oqPDrZ8rtP5YeaeD22zrA5VTNOxK5
vWczPgvZfmeDIiv1Oj0OknFQw9jodpyQBJFwuT0g2UgAnxJH/Os=
=vpjB
-----END PGP SIGNATURE-----
diff -Nru drupal7-7.14/debian/changelog drupal7-7.14/debian/changelog
--- drupal7-7.14/debian/changelog 2018-03-29 02:17:59.000000000 +0530
+++ drupal7-7.14/debian/changelog 2018-04-26 03:14:26.000000000 +0530
@@ -1,3 +1,13 @@
+drupal7 (7.14-2+deb7u19) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS team.
+ * Fix CVE-2018-7602: A remote code execution vulnerability exists within
+ multiple subsystems of Drupal 7.x and 8.x. This potentially allows
+ attackers to exploit multiple attack vectors on a Drupal site,
+ which could result in the site being compromised.
+
+ -- Abhijith PA <abhijith@disroot.org> Thu, 26 Apr 2018 03:14:26 +0530
+
drupal7 (7.14-2+deb7u18) wheezy-security; urgency=high
* Non-maintainer upload by the LTS team.
diff -Nru drupal7-7.14/debian/patches/CVE-2018-7602.patch drupal7-7.14/debian/patches/CVE-2018-7602.patch
--- drupal7-7.14/debian/patches/CVE-2018-7602.patch 1970-01-01 05:30:00.000000000 +0530
+++ drupal7-7.14/debian/patches/CVE-2018-7602.patch 2018-04-26 03:13:01.000000000 +0530
@@ -0,0 +1,91 @@
+Description: CVE-2018-7602
+ A remote code execution vulnerability exists within multiple subsystems of
+ Drupal. This potentially allows attackers to exploit multiple attack vectors on
+ a Drupal site, which could result in the site being compromised.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: http://cgit.drupalcode.org/drupal/commit/?h=7.x&id=080daa38f265ea28444c540832509a48861587d0
+Bug-Debian: https://bugs.debian.org/896701
+Last-Update: 2018-04-25
+
+--- drupal7-7.14.orig/includes/bootstrap.inc
++++ drupal7-7.14/includes/bootstrap.inc
+@@ -2458,6 +2458,11 @@ function _drupal_bootstrap_variables() {
+ unset($_GET['destination']);
+ unset($_REQUEST['destination']);
+ }
++ // Use the DrupalRequestSanitizer to ensure that the destination's query
++ // parameters are not dangerous.
++ if (isset($_GET['destination'])) {
++ DrupalRequestSanitizer::cleanDestination();
++ }
+ // If there's still something in $_REQUEST['destination'] that didn't come
+ // from $_GET, check it too.
+ if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && url_is_external($_REQUEST['destination'])) {
+--- drupal7-7.14.orig/includes/common.inc
++++ drupal7-7.14/includes/common.inc
+@@ -601,8 +601,9 @@ function drupal_parse_url($url) {
+ }
+ // The 'q' parameter contains the path of the current page if clean URLs are
+ // disabled. It overrides the 'path' of the URL when present, even if clean
+- // URLs are enabled, due to how Apache rewriting rules work.
+- if (isset($options['query']['q'])) {
++ // URLs are enabled, due to how Apache rewriting rules work. The path
++ // parameter must be a string.
++ if (isset($options['query']['q']) && is_string($options['query']['q'])) {
+ $options['path'] = $options['query']['q'];
+ unset($options['query']['q']);
+ }
+--- drupal7-7.14.orig/includes/request-sanitizer.inc
++++ drupal7-7.14/includes/request-sanitizer.inc
+@@ -52,6 +52,38 @@ class DrupalRequestSanitizer {
+ }
+
+ /**
++ * Removes the destination if it is dangerous.
++ *
++ * Note this can only be called after common.inc has been included.
++ *
++ * @return bool
++ * TRUE if the destination has been removed from $_GET, FALSE if not.
++ */
++ public static function cleanDestination() {
++ $dangerous_keys = array();
++ $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
++
++ $parts = drupal_parse_url($_GET['destination']);
++ // If there is a query string, check its query parameters.
++ if (!empty($parts['query'])) {
++ $whitelist = variable_get('sanitize_input_whitelist', array());
++
++ self::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys);
++ if (!empty($dangerous_keys)) {
++ // The destination is removed rather than sanitized to mirror the
++ // handling of external destinations.
++ unset($_GET['destination']);
++ unset($_REQUEST['destination']);
++ if ($log_sanitized_keys) {
++ trigger_error(format_string('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: @keys', array('@keys' => implode(', ', $dangerous_keys))));
++ }
++ return TRUE;
++ }
++ }
++ return FALSE;
++ }
++
++ /**
+ * Strips dangerous keys from the provided input.
+ *
+ * @param mixed $input
+--- drupal7-7.14.orig/modules/file/file.module
++++ drupal7-7.14/modules/file/file.module
+@@ -239,6 +239,9 @@ function file_ajax_upload() {
+ $form_parents = func_get_args();
+ $form_build_id = (string) array_pop($form_parents);
+
++ // Sanitize form parents before using them.
++ $form_parents = array_filter($form_parents, 'element_child');
++
+ if (empty($_POST['form_build_id']) || $form_build_id != $_POST['form_build_id']) {
+ // Invalid request.
+ drupal_set_message(t('An unrecoverable error occurred. The uploaded file likely exceeded the maximum file size (@size) that this server supports.', array('@size' => format_size(file_upload_max_size()))), 'error');
diff -Nru drupal7-7.14/debian/patches/series drupal7-7.14/debian/patches/series
--- drupal7-7.14/debian/patches/series 2018-03-29 02:17:59.000000000 +0530
+++ drupal7-7.14/debian/patches/series 2018-04-26 03:14:26.000000000 +0530
@@ -23,3 +23,4 @@
SA-CORE-2017-003
SA-CORE-2018-001.patch
CVE-2018-7600.patch
+CVE-2018-7602.patch
Reply to: