Bug#699284: unblock: drupal7/7.14-1.3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#699284: unblock: drupal7/7.14-1.3
From: Gunnar Wolf <gwolf@gwolf.org>
Date: Tue, 29 Jan 2013 12:37:34 -0600
Message-id: <20130129183734.1729.87006.reportbug@mosca.iiec.unam.mx>
Reply-to: Gunnar Wolf <gwolf@gwolf.org>, 699284@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package drupal7

I have uplaoded drupal7 version 7.14-1.3, closing bug #698334 (Drupal
security advisory SA-CORE-2013-001 - Cross-site scripting, Access
bypass)

You will notice I added the missing DEP3 header to the patch for
SA-CORE-2012-004 I uploaded in 7.14-1.2;it should make no functional
difference.

Thanks,

unblock drupal7/7.14-1.3

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru drupal7-7.14/debian/changelog drupal7-7.14/debian/changelog
--- drupal7-7.14/debian/changelog	2013-01-11 17:58:46.000000000 -0600
+++ drupal7-7.14/debian/changelog	2013-01-29 12:22:30.000000000 -0600
@@ -1,3 +1,12 @@
+drupal7 (7.14-1.3) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Incorporated the fix for SA-CORE-2013-001 (the full diff between 7.18
+    and 7.19) (Closes: #698334)
+  * Added the missing DEP3 header to the patch introduced in 7.14-1.2
+
+ -- Gunnar Wolf <gwolf@debian.org>  Tue, 29 Jan 2013 12:21:13 -0600
+
 drupal7 (7.14-1.2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru drupal7-7.14/debian/patches/50_SA-CORE-2012-004 drupal7-7.14/debian/patches/50_SA-CORE-2012-004
--- drupal7-7.14/debian/patches/50_SA-CORE-2012-004	2013-01-11 17:56:43.000000000 -0600
+++ drupal7-7.14/debian/patches/50_SA-CORE-2012-004	2013-01-29 12:20:44.000000000 -0600
@@ -1,3 +1,15 @@
+Origin: backport (diff between 7.18 and 7.19)
+Forwarded: not-needed
+From: Gunnar Wolf <gwolf@debian.org>
+Last-Update: 2013-01-11
+Applied-Upstream: Yes
+Description: Fixes SA_CORE-2012-004 (Access bypass, arbitrary code execution)
+ This patch is taken from the diff between 7.17 and 7.18, applying it
+ to the currently frozen version (7.14). For further details, the
+ advisory is in:
+ .
+ http://drupal.org/SA-CORE-2012-004
+
 Index: drupal7-7.14/includes/file.inc
 ===================================================================
 --- drupal7-7.14.orig/includes/file.inc	2012-05-02 17:10:42.000000000 -0500
diff -Nru drupal7-7.14/debian/patches/60_SA-CORE-2013-001 drupal7-7.14/debian/patches/60_SA-CORE-2013-001
--- drupal7-7.14/debian/patches/60_SA-CORE-2013-001	1969-12-31 18:00:00.000000000 -0600
+++ drupal7-7.14/debian/patches/60_SA-CORE-2013-001	2013-01-29 12:19:10.000000000 -0600
@@ -0,0 +1,127 @@
+Origin: backport (diff between 7.18 and 7.19)
+Forwarded: not-needed
+From: Gunnar Wolf <gwolf@debian.org>
+Last-Update: 2013-01-29
+Applied-Upstream: Yes
+Description: Fixes SA_CORE-2013-001 (Cross-site scripting, Access bypass)
+ This patch is taken from the diff between 7.18 and 7.19, applying it
+ to the currently frozen version (7.14). For further details, the
+ advisory is in:
+ .
+ http://drupal.org/SA-CORE-2013-001
+
+Index: drupal7-7.14/misc/collapse.js
+===================================================================
+--- drupal7-7.14.orig/misc/collapse.js	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/misc/collapse.js	2013-01-29 12:15:58.000000000 -0600
+@@ -58,9 +58,9 @@
+     $('fieldset.collapsible', context).once('collapse', function () {
+       var $fieldset = $(this);
+       // Expand fieldset if there are errors inside, or if it contains an
+-      // element that is targeted by the uri fragment identifier. 
++      // element that is targeted by the uri fragment identifier.
+       var anchor = location.hash && location.hash != '#' ? ', ' + location.hash : '';
+-      if ($('.error' + anchor, $fieldset).length) {
++      if ($fieldset.find('.error' + anchor).length) {
+         $fieldset.removeClass('collapsed');
+       }
+ 
+Index: drupal7-7.14/misc/drupal.js
+===================================================================
+--- drupal7-7.14.orig/misc/drupal.js	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/misc/drupal.js	2013-01-29 12:14:56.000000000 -0600
+@@ -7,6 +7,27 @@
+ (function ($) {
+ 
+ /**
++ * Override jQuery.fn.init to guard against XSS attacks.
++ *
++ * See http://bugs.jquery.com/ticket/9521
++ */
++var jquery_init = $.fn.init;
++$.fn.init = function (selector, context, rootjQuery) {
++  // If the string contains a "#" before a "<", treat it as invalid HTML.
++  if (selector && typeof selector === 'string') {
++    var hash_position = selector.indexOf('#');
++    if (hash_position >= 0) {
++      var bracket_position = selector.indexOf('<');
++      if (bracket_position > hash_position) {
++        throw 'Syntax error, unrecognized expression: ' + selector;
++      }
++    }
++  }
++  return jquery_init.call(this, selector, context, rootjQuery);
++};
++$.fn.init.prototype = jquery_init.prototype;
++
++/**
+  * Attach all registered behaviors to a page element.
+  *
+  * Behaviors are event-triggered actions that attach to page elements, enhancing
+Index: drupal7-7.14/misc/vertical-tabs.js
+===================================================================
+--- drupal7-7.14.orig/misc/vertical-tabs.js	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/misc/vertical-tabs.js	2013-01-29 12:14:56.000000000 -0600
+@@ -50,8 +50,8 @@
+       if (!tab_focus) {
+         // If the current URL has a fragment and one of the tabs contains an
+         // element that matches the URL fragment, activate that tab.
+-        if (window.location.hash && $(window.location.hash, this).length) {
+-          tab_focus = $(window.location.hash, this).closest('.vertical-tabs-pane');
++        if (window.location.hash && $(this).find(window.location.hash).length) {
++          tab_focus = $(this).find(window.location.hash).closest('.vertical-tabs-pane');
+         }
+         else {
+           tab_focus = $('> .vertical-tabs-pane:first', this);
+Index: drupal7-7.14/modules/book/book.pages.inc
+===================================================================
+--- drupal7-7.14.orig/modules/book/book.pages.inc	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/book/book.pages.inc	2013-01-29 12:14:56.000000000 -0600
+@@ -38,6 +38,15 @@
+  *   format determined by the $type parameter.
+  */
+ function book_export($type, $nid) {
++  // Check that the node exists and that the current user has access to it.
++  $node = node_load($nid);
++  if (!$node) {
++    return MENU_NOT_FOUND;
++  }
++  if (!node_access('view', $node)) {
++    return MENU_ACCESS_DENIED;
++  }
++
+   $type = drupal_strtolower($type);
+ 
+   $export_function = 'book_export_' . $type;
+Index: drupal7-7.14/modules/book/book.test
+===================================================================
+--- drupal7-7.14.orig/modules/book/book.test	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/book/book.test	2013-01-29 12:14:56.000000000 -0600
+@@ -258,6 +258,13 @@
+     // Try getting the URL directly, and verify it fails.
+     $this->drupalGet('book/export/html/' . $this->book->nid);
+     $this->assertResponse('403', t('Anonymous user properly forbidden.'));
++
++    // Now grant anonymous users permission to view the printer-friendly
++    // version and verify that node access restrictions still prevent them from
++    // seeing it.
++    user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array('access printer-friendly version'));
++    $this->drupalGet('book/export/html/' . $this->book->nid);
++    $this->assertResponse('403', 'Anonymous user properly forbidden from seeing the printer-friendly version when denied by node access.');
+   }
+ 
+   /**
+Index: drupal7-7.14/modules/image/image.module
+===================================================================
+--- drupal7-7.14.orig/modules/image/image.module	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/image/image.module	2013-01-29 12:14:56.000000000 -0600
+@@ -292,7 +292,8 @@
+     if ($info = image_get_info($uri)) {
+       // Check the permissions of the original to grant access to this image.
+       $headers = module_invoke_all('file_download', $original_uri);
+-      if (!in_array(-1, $headers)) {
++      // Confirm there's at least one module granting access and none denying access.
++      if (!empty($headers) && !in_array(-1, $headers)) {
+         return array(
+           // Send headers describing the image's size, and MIME-type...
+           'Content-Type' => $info['mime_type'],
diff -Nru drupal7-7.14/debian/patches/series drupal7-7.14/debian/patches/series
--- drupal7-7.14/debian/patches/series	2013-01-11 17:47:21.000000000 -0600
+++ drupal7-7.14/debian/patches/series	2013-01-29 12:14:19.000000000 -0600
@@ -2,3 +2,4 @@
 30_DFSG-sources.patch
 40_SA-CORE-2012-003
 50_SA-CORE-2012-004
+60_SA-CORE-2013-001

Reply to:

Follow-Ups:
- Bug#699284: marked as done (unblock: drupal7/7.14-1.3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#692294: pre-approval: perl/5.14.3-1
Next by Date: Bug#694850: Re: Bug#694850: license RC bug 679980 in cacti: request for release-team opinion for wheezy
Previous by thread: Bug#699276: marked as done (unblock: perl/5.14.2-17)
Next by thread: Bug#699284: marked as done (unblock: drupal7/7.14-1.3)
Index(es):
- Date
- Thread