Bug#697959: marked as done (unblock: drupal7/7.14-1.2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 12 Jan 2013 11:57:12 +0000
with message-id <1357991832.32456.22.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#697959: unblock: drupal7/7.14-1.2
has caused the Debian Bug report #697959,
regarding unblock: drupal7/7.14-1.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
697959: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697959
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: drupal7/7.14-1.2
• From: Gunnar Wolf <gwolf@gwolf.org>
• Date: Fri, 11 Jan 2013 18:09:38 -0600
• Message-id: <20130112000938.31711.12589.reportbug@mosca.iiec.unam.mx>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package drupal7

7.14-1.2 backports the patch between 7.17 and 7.18, which fixes one
arbitrary code execution and one information disclosure vulnerability:

http://drupal.org/SA-CORE-2012-004

I am attaching the debdiff between 7.14-1.1 (currently in testing) and
this version.

Thanks,

unblock drupal7/7.14-1.2

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru drupal7-7.14/debian/changelog drupal7-7.14/debian/changelog
--- drupal7-7.14/debian/changelog	2012-10-19 13:09:14.000000000 -0500
+++ drupal7-7.14/debian/changelog	2013-01-11 17:58:46.000000000 -0600
@@ -1,3 +1,11 @@
+drupal7 (7.14-1.2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Incorporated the fix for SA-CORE-2012-004 (the full diff between
+    7.17 and 7.18)
+
+ -- Gunnar Wolf <gwolf@debian.org>  Fri, 11 Jan 2013 17:57:47 -0600
+
 drupal7 (7.14-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru drupal7-7.14/debian/patches/50_SA-CORE-2012-004 drupal7-7.14/debian/patches/50_SA-CORE-2012-004
--- drupal7-7.14/debian/patches/50_SA-CORE-2012-004	1969-12-31 18:00:00.000000000 -0600
+++ drupal7-7.14/debian/patches/50_SA-CORE-2012-004	2013-01-11 17:56:43.000000000 -0600
@@ -0,0 +1,83 @@
+Index: drupal7-7.14/includes/file.inc
+===================================================================
+--- drupal7-7.14.orig/includes/file.inc	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/includes/file.inc	2013-01-11 17:49:01.000000000 -0600
+@@ -1113,6 +1113,9 @@
+ 
+   // Allow potentially insecure uploads for very savvy users and admin
+   if (!variable_get('allow_insecure_uploads', 0)) {
++    // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
++    $filename = str_replace(chr(0), '', $filename);
++
+     $whitelist = array_unique(explode(' ', trim($extensions)));
+ 
+     // Split the filename up by periods. The first part becomes the basename
+Index: drupal7-7.14/modules/user/user.test
+===================================================================
+--- drupal7-7.14.orig/modules/user/user.test	2012-05-02 17:10:42.000000000 -0500
++++ drupal7-7.14/modules/user/user.test	2013-01-11 17:50:51.000000000 -0600
+@@ -2020,7 +2020,7 @@
+   public static function getInfo() {
+     return array(
+       'name' => 'User search',
+-      'description' => 'Testing that only user with the right permission can see the email address in the user search.',
++      'description' => 'Tests the user search page and verifies that sensitive information is hidden from unauthorized users.',
+       'group' => 'User',
+     );
+   }
+@@ -2040,11 +2040,29 @@
+     $edit = array('keys' => $keys);
+     $this->drupalPost('search/user/', $edit, t('Search'));
+     $this->assertText($keys);
++
++    // Create a blocked user.
++    $blocked_user = $this->drupalCreateUser();
++    $edit = array('status' => 0);
++    $blocked_user = user_save($blocked_user, $edit);
++
++    // Verify that users with "administer users" permissions can see blocked
++    // accounts in search results.
++    $edit = array('keys' => $blocked_user->name);
++    $this->drupalPost('search/user/', $edit, t('Search'));
++    $this->assertText($blocked_user->name, 'Blocked users are listed on the user search results for users with the "administer users" permission.');
++
++    // Verify that users without "administer users" permissions do not see
++    // blocked accounts in search results.
++    $this->drupalLogin($user1);
++    $edit = array('keys' => $blocked_user->name);
++    $this->drupalPost('search/user/', $edit, t('Search'));
++    $this->assertNoText($blocked_user->name, 'Blocked users are hidden from the user search results.');
++
+     $this->drupalLogout();
+   }
+ }
+ 
+-
+ /**
+  * Test role assignment.
+  */
+Index: drupal7-7.14/modules/user/user.module
+===================================================================
+--- drupal7-7.14.orig/modules/user/user.module	2013-01-11 17:56:26.000000000 -0600
++++ drupal7-7.14/modules/user/user.module	2013-01-11 17:56:39.000000000 -0600
+@@ -924,14 +924,18 @@
+   $query = db_select('users')->extend('PagerDefault');
+   $query->fields('users', array('uid'));
+   if (user_access('administer users')) {
+-    // Administrators can also search in the otherwise private email field.
++    // Administrators can also search in the otherwise private email field,
++    // and they don't need to be restricted to only active users.
+     $query->fields('users', array('mail'));
+     $query->condition(db_or()->
+       condition('name', '%' . db_like($keys) . '%', 'LIKE')->
+       condition('mail', '%' . db_like($keys) . '%', 'LIKE'));
+   }
+   else {
+-    $query->condition('name', '%' . db_like($keys) . '%', 'LIKE');
++    // Regular users can only search via usernames, and we do not show them
++    // blocked accounts.
++    $query->condition('name', '%' . db_like($keys) . '%', 'LIKE')
++      ->condition('status', 1);
+   }
+   $uids = $query
+     ->limit(15)
diff -Nru drupal7-7.14/debian/patches/series drupal7-7.14/debian/patches/series
--- drupal7-7.14/debian/patches/series	2012-10-19 13:14:34.000000000 -0500
+++ drupal7-7.14/debian/patches/series	2013-01-11 17:47:21.000000000 -0600
@@ -1,3 +1,4 @@
 10_cronjob.patch
 30_DFSG-sources.patch
 40_SA-CORE-2012-003
+50_SA-CORE-2012-004

--- End Message ---

--- Begin Message ---

• To: Gunnar Wolf <gwolf@gwolf.org>, 697959-done@bugs.debian.org
• Subject: Re: Bug#697959: unblock: drupal7/7.14-1.2
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 12 Jan 2013 11:57:12 +0000
• Message-id: <1357991832.32456.22.camel@jacala.jungle.funky-badger.org>
• In-reply-to: <20130112000938.31711.12589.reportbug@mosca.iiec.unam.mx>
• References: <20130112000938.31711.12589.reportbug@mosca.iiec.unam.mx>

On Fri, 2013-01-11 at 18:09 -0600, Gunnar Wolf wrote:
> Please unblock package drupal7
> 
> 7.14-1.2 backports the patch between 7.17 and 7.18, which fixes one
> arbitrary code execution and one information disclosure vulnerability:
> 
> http://drupal.org/SA-CORE-2012-004

Unblocked; thanks.

Regards,

Adam

--- End Message ---