Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package drupal7 I have uplaoded drupal7 version 7.14-1.3, closing bug #698334 (Drupal security advisory SA-CORE-2013-001 - Cross-site scripting, Access bypass) You will notice I added the missing DEP3 header to the patch for SA-CORE-2012-004 I uploaded in 7.14-1.2;it should make no functional difference. Thanks, unblock drupal7/7.14-1.3 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru drupal7-7.14/debian/changelog drupal7-7.14/debian/changelog --- drupal7-7.14/debian/changelog 2013-01-11 17:58:46.000000000 -0600 +++ drupal7-7.14/debian/changelog 2013-01-29 12:22:30.000000000 -0600 @@ -1,3 +1,12 @@ +drupal7 (7.14-1.3) unstable; urgency=low + + * Non-maintainer upload. + * Incorporated the fix for SA-CORE-2013-001 (the full diff between 7.18 + and 7.19) (Closes: #698334) + * Added the missing DEP3 header to the patch introduced in 7.14-1.2 + + -- Gunnar Wolf <gw...@debian.org> Tue, 29 Jan 2013 12:21:13 -0600 + drupal7 (7.14-1.2) unstable; urgency=low * Non-maintainer upload. diff -Nru drupal7-7.14/debian/patches/50_SA-CORE-2012-004 drupal7-7.14/debian/patches/50_SA-CORE-2012-004 --- drupal7-7.14/debian/patches/50_SA-CORE-2012-004 2013-01-11 17:56:43.000000000 -0600 +++ drupal7-7.14/debian/patches/50_SA-CORE-2012-004 2013-01-29 12:20:44.000000000 -0600 @@ -1,3 +1,15 @@ +Origin: backport (diff between 7.18 and 7.19) +Forwarded: not-needed +From: Gunnar Wolf <gw...@debian.org> +Last-Update: 2013-01-11 +Applied-Upstream: Yes +Description: Fixes SA_CORE-2012-004 (Access bypass, arbitrary code execution) + This patch is taken from the diff between 7.17 and 7.18, applying it + to the currently frozen version (7.14). For further details, the + advisory is in: + . + http://drupal.org/SA-CORE-2012-004 + Index: drupal7-7.14/includes/file.inc =================================================================== --- drupal7-7.14.orig/includes/file.inc 2012-05-02 17:10:42.000000000 -0500 diff -Nru drupal7-7.14/debian/patches/60_SA-CORE-2013-001 drupal7-7.14/debian/patches/60_SA-CORE-2013-001 --- drupal7-7.14/debian/patches/60_SA-CORE-2013-001 1969-12-31 18:00:00.000000000 -0600 +++ drupal7-7.14/debian/patches/60_SA-CORE-2013-001 2013-01-29 12:19:10.000000000 -0600 @@ -0,0 +1,127 @@ +Origin: backport (diff between 7.18 and 7.19) +Forwarded: not-needed +From: Gunnar Wolf <gw...@debian.org> +Last-Update: 2013-01-29 +Applied-Upstream: Yes +Description: Fixes SA_CORE-2013-001 (Cross-site scripting, Access bypass) + This patch is taken from the diff between 7.18 and 7.19, applying it + to the currently frozen version (7.14). For further details, the + advisory is in: + . + http://drupal.org/SA-CORE-2013-001 + +Index: drupal7-7.14/misc/collapse.js +=================================================================== +--- drupal7-7.14.orig/misc/collapse.js 2012-05-02 17:10:42.000000000 -0500 ++++ drupal7-7.14/misc/collapse.js 2013-01-29 12:15:58.000000000 -0600 +@@ -58,9 +58,9 @@ + $('fieldset.collapsible', context).once('collapse', function () { + var $fieldset = $(this); + // Expand fieldset if there are errors inside, or if it contains an +- // element that is targeted by the uri fragment identifier. ++ // element that is targeted by the uri fragment identifier. + var anchor = location.hash && location.hash != '#' ? ', ' + location.hash : ''; +- if ($('.error' + anchor, $fieldset).length) { ++ if ($fieldset.find('.error' + anchor).length) { + $fieldset.removeClass('collapsed'); + } + +Index: drupal7-7.14/misc/drupal.js +=================================================================== +--- drupal7-7.14.orig/misc/drupal.js 2012-05-02 17:10:42.000000000 -0500 ++++ drupal7-7.14/misc/drupal.js 2013-01-29 12:14:56.000000000 -0600 +@@ -7,6 +7,27 @@ + (function ($) { + + /** ++ * Override jQuery.fn.init to guard against XSS attacks. ++ * ++ * See http://bugs.jquery.com/ticket/9521 ++ */ ++var jquery_init = $.fn.init; ++$.fn.init = function (selector, context, rootjQuery) { ++ // If the string contains a "#" before a "<", treat it as invalid HTML. ++ if (selector && typeof selector === 'string') { ++ var hash_position = selector.indexOf('#'); ++ if (hash_position >= 0) { ++ var bracket_position = selector.indexOf('<'); ++ if (bracket_position > hash_position) { ++ throw 'Syntax error, unrecognized expression: ' + selector; ++ } ++ } ++ } ++ return jquery_init.call(this, selector, context, rootjQuery); ++}; ++$.fn.init.prototype = jquery_init.prototype; ++ ++/** + * Attach all registered behaviors to a page element. + * + * Behaviors are event-triggered actions that attach to page elements, enhancing +Index: drupal7-7.14/misc/vertical-tabs.js +=================================================================== +--- drupal7-7.14.orig/misc/vertical-tabs.js 2012-05-02 17:10:42.000000000 -0500 ++++ drupal7-7.14/misc/vertical-tabs.js 2013-01-29 12:14:56.000000000 -0600 +@@ -50,8 +50,8 @@ + if (!tab_focus) { + // If the current URL has a fragment and one of the tabs contains an + // element that matches the URL fragment, activate that tab. +- if (window.location.hash && $(window.location.hash, this).length) { +- tab_focus = $(window.location.hash, this).closest('.vertical-tabs-pane'); ++ if (window.location.hash && $(this).find(window.location.hash).length) { ++ tab_focus = $(this).find(window.location.hash).closest('.vertical-tabs-pane'); + } + else { + tab_focus = $('> .vertical-tabs-pane:first', this); +Index: drupal7-7.14/modules/book/book.pages.inc +=================================================================== +--- drupal7-7.14.orig/modules/book/book.pages.inc 2012-05-02 17:10:42.000000000 -0500 ++++ drupal7-7.14/modules/book/book.pages.inc 2013-01-29 12:14:56.000000000 -0600 +@@ -38,6 +38,15 @@ + * format determined by the $type parameter. + */ + function book_export($type, $nid) { ++ // Check that the node exists and that the current user has access to it. ++ $node = node_load($nid); ++ if (!$node) { ++ return MENU_NOT_FOUND; ++ } ++ if (!node_access('view', $node)) { ++ return MENU_ACCESS_DENIED; ++ } ++ + $type = drupal_strtolower($type); + + $export_function = 'book_export_' . $type; +Index: drupal7-7.14/modules/book/book.test +=================================================================== +--- drupal7-7.14.orig/modules/book/book.test 2012-05-02 17:10:42.000000000 -0500 ++++ drupal7-7.14/modules/book/book.test 2013-01-29 12:14:56.000000000 -0600 +@@ -258,6 +258,13 @@ + // Try getting the URL directly, and verify it fails. + $this->drupalGet('book/export/html/' . $this->book->nid); + $this->assertResponse('403', t('Anonymous user properly forbidden.')); ++ ++ // Now grant anonymous users permission to view the printer-friendly ++ // version and verify that node access restrictions still prevent them from ++ // seeing it. ++ user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array('access printer-friendly version')); ++ $this->drupalGet('book/export/html/' . $this->book->nid); ++ $this->assertResponse('403', 'Anonymous user properly forbidden from seeing the printer-friendly version when denied by node access.'); + } + + /** +Index: drupal7-7.14/modules/image/image.module +=================================================================== +--- drupal7-7.14.orig/modules/image/image.module 2012-05-02 17:10:42.000000000 -0500 ++++ drupal7-7.14/modules/image/image.module 2013-01-29 12:14:56.000000000 -0600 +@@ -292,7 +292,8 @@ + if ($info = image_get_info($uri)) { + // Check the permissions of the original to grant access to this image. + $headers = module_invoke_all('file_download', $original_uri); +- if (!in_array(-1, $headers)) { ++ // Confirm there's at least one module granting access and none denying access. ++ if (!empty($headers) && !in_array(-1, $headers)) { + return array( + // Send headers describing the image's size, and MIME-type... + 'Content-Type' => $info['mime_type'], diff -Nru drupal7-7.14/debian/patches/series drupal7-7.14/debian/patches/series --- drupal7-7.14/debian/patches/series 2013-01-11 17:47:21.000000000 -0600 +++ drupal7-7.14/debian/patches/series 2013-01-29 12:14:19.000000000 -0600 @@ -2,3 +2,4 @@ 30_DFSG-sources.patch 40_SA-CORE-2012-003 50_SA-CORE-2012-004 +60_SA-CORE-2013-001