Bug#699284: unblock: drupal7/7.14-1.3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package drupal7
I have uplaoded drupal7 version 7.14-1.3, closing bug #698334 (Drupal
security advisory SA-CORE-2013-001 - Cross-site scripting, Access
bypass)
You will notice I added the missing DEP3 header to the patch for
SA-CORE-2012-004 I uploaded in 7.14-1.2;it should make no functional
difference.
Thanks,
unblock drupal7/7.14-1.3
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru drupal7-7.14/debian/changelog drupal7-7.14/debian/changelog
--- drupal7-7.14/debian/changelog 2013-01-11 17:58:46.000000000 -0600
+++ drupal7-7.14/debian/changelog 2013-01-29 12:22:30.000000000 -0600
@@ -1,3 +1,12 @@
+drupal7 (7.14-1.3) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Incorporated the fix for SA-CORE-2013-001 (the full diff between 7.18
+ and 7.19) (Closes: #698334)
+ * Added the missing DEP3 header to the patch introduced in 7.14-1.2
+
+ -- Gunnar Wolf <gwolf@debian.org> Tue, 29 Jan 2013 12:21:13 -0600
+
drupal7 (7.14-1.2) unstable; urgency=low
* Non-maintainer upload.
diff -Nru drupal7-7.14/debian/patches/50_SA-CORE-2012-004 drupal7-7.14/debian/patches/50_SA-CORE-2012-004
--- drupal7-7.14/debian/patches/50_SA-CORE-2012-004 2013-01-11 17:56:43.000000000 -0600
+++ drupal7-7.14/debian/patches/50_SA-CORE-2012-004 2013-01-29 12:20:44.000000000 -0600
@@ -1,3 +1,15 @@
+Origin: backport (diff between 7.18 and 7.19)
+Forwarded: not-needed
+From: Gunnar Wolf <gwolf@debian.org>
+Last-Update: 2013-01-11
+Applied-Upstream: Yes
+Description: Fixes SA_CORE-2012-004 (Access bypass, arbitrary code execution)
+ This patch is taken from the diff between 7.17 and 7.18, applying it
+ to the currently frozen version (7.14). For further details, the
+ advisory is in:
+ .
+ http://drupal.org/SA-CORE-2012-004
+
Index: drupal7-7.14/includes/file.inc
===================================================================
--- drupal7-7.14.orig/includes/file.inc 2012-05-02 17:10:42.000000000 -0500
diff -Nru drupal7-7.14/debian/patches/60_SA-CORE-2013-001 drupal7-7.14/debian/patches/60_SA-CORE-2013-001
--- drupal7-7.14/debian/patches/60_SA-CORE-2013-001 1969-12-31 18:00:00.000000000 -0600
+++ drupal7-7.14/debian/patches/60_SA-CORE-2013-001 2013-01-29 12:19:10.000000000 -0600
@@ -0,0 +1,127 @@
+Origin: backport (diff between 7.18 and 7.19)
+Forwarded: not-needed
+From: Gunnar Wolf <gwolf@debian.org>
+Last-Update: 2013-01-29
+Applied-Upstream: Yes
+Description: Fixes SA_CORE-2013-001 (Cross-site scripting, Access bypass)
+ This patch is taken from the diff between 7.18 and 7.19, applying it
+ to the currently frozen version (7.14). For further details, the
+ advisory is in:
+ .
+ http://drupal.org/SA-CORE-2013-001
+
+Index: drupal7-7.14/misc/collapse.js
+===================================================================
+--- drupal7-7.14.orig/misc/collapse.js 2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/misc/collapse.js 2013-01-29 12:15:58.000000000 -0600
+@@ -58,9 +58,9 @@
+ $('fieldset.collapsible', context).once('collapse', function () {
+ var $fieldset = $(this);
+ // Expand fieldset if there are errors inside, or if it contains an
+- // element that is targeted by the uri fragment identifier.
++ // element that is targeted by the uri fragment identifier.
+ var anchor = location.hash && location.hash != '#' ? ', ' + location.hash : '';
+- if ($('.error' + anchor, $fieldset).length) {
++ if ($fieldset.find('.error' + anchor).length) {
+ $fieldset.removeClass('collapsed');
+ }
+
+Index: drupal7-7.14/misc/drupal.js
+===================================================================
+--- drupal7-7.14.orig/misc/drupal.js 2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/misc/drupal.js 2013-01-29 12:14:56.000000000 -0600
+@@ -7,6 +7,27 @@
+ (function ($) {
+
+ /**
++ * Override jQuery.fn.init to guard against XSS attacks.
++ *
++ * See http://bugs.jquery.com/ticket/9521
++ */
++var jquery_init = $.fn.init;
++$.fn.init = function (selector, context, rootjQuery) {
++ // If the string contains a "#" before a "<", treat it as invalid HTML.
++ if (selector && typeof selector === 'string') {
++ var hash_position = selector.indexOf('#');
++ if (hash_position >= 0) {
++ var bracket_position = selector.indexOf('<');
++ if (bracket_position > hash_position) {
++ throw 'Syntax error, unrecognized expression: ' + selector;
++ }
++ }
++ }
++ return jquery_init.call(this, selector, context, rootjQuery);
++};
++$.fn.init.prototype = jquery_init.prototype;
++
++/**
+ * Attach all registered behaviors to a page element.
+ *
+ * Behaviors are event-triggered actions that attach to page elements, enhancing
+Index: drupal7-7.14/misc/vertical-tabs.js
+===================================================================
+--- drupal7-7.14.orig/misc/vertical-tabs.js 2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/misc/vertical-tabs.js 2013-01-29 12:14:56.000000000 -0600
+@@ -50,8 +50,8 @@
+ if (!tab_focus) {
+ // If the current URL has a fragment and one of the tabs contains an
+ // element that matches the URL fragment, activate that tab.
+- if (window.location.hash && $(window.location.hash, this).length) {
+- tab_focus = $(window.location.hash, this).closest('.vertical-tabs-pane');
++ if (window.location.hash && $(this).find(window.location.hash).length) {
++ tab_focus = $(this).find(window.location.hash).closest('.vertical-tabs-pane');
+ }
+ else {
+ tab_focus = $('> .vertical-tabs-pane:first', this);
+Index: drupal7-7.14/modules/book/book.pages.inc
+===================================================================
+--- drupal7-7.14.orig/modules/book/book.pages.inc 2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/book/book.pages.inc 2013-01-29 12:14:56.000000000 -0600
+@@ -38,6 +38,15 @@
+ * format determined by the $type parameter.
+ */
+ function book_export($type, $nid) {
++ // Check that the node exists and that the current user has access to it.
++ $node = node_load($nid);
++ if (!$node) {
++ return MENU_NOT_FOUND;
++ }
++ if (!node_access('view', $node)) {
++ return MENU_ACCESS_DENIED;
++ }
++
+ $type = drupal_strtolower($type);
+
+ $export_function = 'book_export_' . $type;
+Index: drupal7-7.14/modules/book/book.test
+===================================================================
+--- drupal7-7.14.orig/modules/book/book.test 2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/book/book.test 2013-01-29 12:14:56.000000000 -0600
+@@ -258,6 +258,13 @@
+ // Try getting the URL directly, and verify it fails.
+ $this->drupalGet('book/export/html/' . $this->book->nid);
+ $this->assertResponse('403', t('Anonymous user properly forbidden.'));
++
++ // Now grant anonymous users permission to view the printer-friendly
++ // version and verify that node access restrictions still prevent them from
++ // seeing it.
++ user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array('access printer-friendly version'));
++ $this->drupalGet('book/export/html/' . $this->book->nid);
++ $this->assertResponse('403', 'Anonymous user properly forbidden from seeing the printer-friendly version when denied by node access.');
+ }
+
+ /**
+Index: drupal7-7.14/modules/image/image.module
+===================================================================
+--- drupal7-7.14.orig/modules/image/image.module 2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/image/image.module 2013-01-29 12:14:56.000000000 -0600
+@@ -292,7 +292,8 @@
+ if ($info = image_get_info($uri)) {
+ // Check the permissions of the original to grant access to this image.
+ $headers = module_invoke_all('file_download', $original_uri);
+- if (!in_array(-1, $headers)) {
++ // Confirm there's at least one module granting access and none denying access.
++ if (!empty($headers) && !in_array(-1, $headers)) {
+ return array(
+ // Send headers describing the image's size, and MIME-type...
+ 'Content-Type' => $info['mime_type'],
diff -Nru drupal7-7.14/debian/patches/series drupal7-7.14/debian/patches/series
--- drupal7-7.14/debian/patches/series 2013-01-11 17:47:21.000000000 -0600
+++ drupal7-7.14/debian/patches/series 2013-01-29 12:14:19.000000000 -0600
@@ -2,3 +2,4 @@
30_DFSG-sources.patch
40_SA-CORE-2012-003
50_SA-CORE-2012-004
+60_SA-CORE-2013-001
Reply to: