Bug#697959: unblock: drupal7/7.14-1.2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package drupal7
7.14-1.2 backports the patch between 7.17 and 7.18, which fixes one
arbitrary code execution and one information disclosure vulnerability:
http://drupal.org/SA-CORE-2012-004
I am attaching the debdiff between 7.14-1.1 (currently in testing) and
this version.
Thanks,
unblock drupal7/7.14-1.2
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru drupal7-7.14/debian/changelog drupal7-7.14/debian/changelog
--- drupal7-7.14/debian/changelog 2012-10-19 13:09:14.000000000 -0500
+++ drupal7-7.14/debian/changelog 2013-01-11 17:58:46.000000000 -0600
@@ -1,3 +1,11 @@
+drupal7 (7.14-1.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Incorporated the fix for SA-CORE-2012-004 (the full diff between
+ 7.17 and 7.18)
+
+ -- Gunnar Wolf <gwolf@debian.org> Fri, 11 Jan 2013 17:57:47 -0600
+
drupal7 (7.14-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru drupal7-7.14/debian/patches/50_SA-CORE-2012-004 drupal7-7.14/debian/patches/50_SA-CORE-2012-004
--- drupal7-7.14/debian/patches/50_SA-CORE-2012-004 1969-12-31 18:00:00.000000000 -0600
+++ drupal7-7.14/debian/patches/50_SA-CORE-2012-004 2013-01-11 17:56:43.000000000 -0600
@@ -0,0 +1,83 @@
+Index: drupal7-7.14/includes/file.inc
+===================================================================
+--- drupal7-7.14.orig/includes/file.inc 2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/includes/file.inc 2013-01-11 17:49:01.000000000 -0600
+@@ -1113,6 +1113,9 @@
+
+ // Allow potentially insecure uploads for very savvy users and admin
+ if (!variable_get('allow_insecure_uploads', 0)) {
++ // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
++ $filename = str_replace(chr(0), '', $filename);
++
+ $whitelist = array_unique(explode(' ', trim($extensions)));
+
+ // Split the filename up by periods. The first part becomes the basename
+Index: drupal7-7.14/modules/user/user.test
+===================================================================
+--- drupal7-7.14.orig/modules/user/user.test 2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/user/user.test 2013-01-11 17:50:51.000000000 -0600
+@@ -2020,7 +2020,7 @@
+ public static function getInfo() {
+ return array(
+ 'name' => 'User search',
+- 'description' => 'Testing that only user with the right permission can see the email address in the user search.',
++ 'description' => 'Tests the user search page and verifies that sensitive information is hidden from unauthorized users.',
+ 'group' => 'User',
+ );
+ }
+@@ -2040,11 +2040,29 @@
+ $edit = array('keys' => $keys);
+ $this->drupalPost('search/user/', $edit, t('Search'));
+ $this->assertText($keys);
++
++ // Create a blocked user.
++ $blocked_user = $this->drupalCreateUser();
++ $edit = array('status' => 0);
++ $blocked_user = user_save($blocked_user, $edit);
++
++ // Verify that users with "administer users" permissions can see blocked
++ // accounts in search results.
++ $edit = array('keys' => $blocked_user->name);
++ $this->drupalPost('search/user/', $edit, t('Search'));
++ $this->assertText($blocked_user->name, 'Blocked users are listed on the user search results for users with the "administer users" permission.');
++
++ // Verify that users without "administer users" permissions do not see
++ // blocked accounts in search results.
++ $this->drupalLogin($user1);
++ $edit = array('keys' => $blocked_user->name);
++ $this->drupalPost('search/user/', $edit, t('Search'));
++ $this->assertNoText($blocked_user->name, 'Blocked users are hidden from the user search results.');
++
+ $this->drupalLogout();
+ }
+ }
+
+-
+ /**
+ * Test role assignment.
+ */
+Index: drupal7-7.14/modules/user/user.module
+===================================================================
+--- drupal7-7.14.orig/modules/user/user.module 2013-01-11 17:56:26.000000000 -0600
++++ drupal7-7.14/modules/user/user.module 2013-01-11 17:56:39.000000000 -0600
+@@ -924,14 +924,18 @@
+ $query = db_select('users')->extend('PagerDefault');
+ $query->fields('users', array('uid'));
+ if (user_access('administer users')) {
+- // Administrators can also search in the otherwise private email field.
++ // Administrators can also search in the otherwise private email field,
++ // and they don't need to be restricted to only active users.
+ $query->fields('users', array('mail'));
+ $query->condition(db_or()->
+ condition('name', '%' . db_like($keys) . '%', 'LIKE')->
+ condition('mail', '%' . db_like($keys) . '%', 'LIKE'));
+ }
+ else {
+- $query->condition('name', '%' . db_like($keys) . '%', 'LIKE');
++ // Regular users can only search via usernames, and we do not show them
++ // blocked accounts.
++ $query->condition('name', '%' . db_like($keys) . '%', 'LIKE')
++ ->condition('status', 1);
+ }
+ $uids = $query
+ ->limit(15)
diff -Nru drupal7-7.14/debian/patches/series drupal7-7.14/debian/patches/series
--- drupal7-7.14/debian/patches/series 2012-10-19 13:14:34.000000000 -0500
+++ drupal7-7.14/debian/patches/series 2013-01-11 17:47:21.000000000 -0600
@@ -1,3 +1,4 @@
10_cronjob.patch
30_DFSG-sources.patch
40_SA-CORE-2012-003
+50_SA-CORE-2012-004
Reply to: