-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello.
I have prepared LTS security update for drupal7[1] . Debdiff is attached. Please review and upload. I tested it on a clean wheezy vm [1]https://mentors.debian.net/debian/pool/main/d/drupal7/drupal7_7.14-2+ deb7u19.dsc - --abhijith -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlrhP0sACgkQhj1N8u2c KO+NMQ//VBcmJujC7v/iVzXcWBSg9cailAFOJ5lC8VCkpjN9Vb5RrO1wOqbVGAux 6vh2gFQe0jdL2mYoUT88mI9Bep/8ZyhNRrllL+gZun/3JZ/FFyd5hpO8+1Q/II0I m8Zm+A1wkBq0MkV6Uv7+QdlyL8mzONTMhfB9VZOHMvOdqUfnWRvfuvjuJ8bCkUGd blmplnmZIK0F1c2sZh6o6pZpR0X3ffmiYJdQL4Wg9vuRqZzE+erbmofXqj6rp6nx TEvI3e/hvblhWRB75iwhcZEbGb3C1VWyhIfaZs9z780VnFUf35ZALDcXM+xokmfu /Ks3XiJlBGkUOKsCHVXUWgF/M6TJm8ucpQpE2d2PQBl/Z8NC1vUVEGxO3CohHV9s NbWxM/IRyN6+neXuHvj7J/NcQJa7BaOVkQuoruaaYM3wzlAmoCT+LvXQNarEyWT0 y/AC15kG0cC7sFTq9niwZl1jP7v0HkbMsbfL7SPnkQ7qg1ZVrPDh9QnJE7LaqWzH xjBLltKMpKJB9QHMhp/O62DBRLmH9uST3glJLBAT0DtfqpF3S4nXFBdMcengF55f cIw4bZBypTLROZnsAYBrGO5FZy2ImLatq12oqPDrZ8rtP5YeaeD22zrA5VTNOxK5 vWczPgvZfmeDIiv1Oj0OknFQw9jodpyQBJFwuT0g2UgAnxJH/Os= =vpjB -----END PGP SIGNATURE-----
diff -Nru drupal7-7.14/debian/changelog drupal7-7.14/debian/changelog --- drupal7-7.14/debian/changelog 2018-03-29 02:17:59.000000000 +0530 +++ drupal7-7.14/debian/changelog 2018-04-26 03:14:26.000000000 +0530 @@ -1,3 +1,13 @@ +drupal7 (7.14-2+deb7u19) wheezy-security; urgency=high + + * Non-maintainer upload by the Debian LTS team. + * Fix CVE-2018-7602: A remote code execution vulnerability exists within + multiple subsystems of Drupal 7.x and 8.x. This potentially allows + attackers to exploit multiple attack vectors on a Drupal site, + which could result in the site being compromised. + + -- Abhijith PA <abhij...@disroot.org> Thu, 26 Apr 2018 03:14:26 +0530 + drupal7 (7.14-2+deb7u18) wheezy-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru drupal7-7.14/debian/patches/CVE-2018-7602.patch drupal7-7.14/debian/patches/CVE-2018-7602.patch --- drupal7-7.14/debian/patches/CVE-2018-7602.patch 1970-01-01 05:30:00.000000000 +0530 +++ drupal7-7.14/debian/patches/CVE-2018-7602.patch 2018-04-26 03:13:01.000000000 +0530 @@ -0,0 +1,91 @@ +Description: CVE-2018-7602 + A remote code execution vulnerability exists within multiple subsystems of + Drupal. This potentially allows attackers to exploit multiple attack vectors on + a Drupal site, which could result in the site being compromised. + +Author: Abhijith PA <abhij...@disroot.org> +Origin: http://cgit.drupalcode.org/drupal/commit/?h=7.x&id=080daa38f265ea28444c540832509a48861587d0 +Bug-Debian: https://bugs.debian.org/896701 +Last-Update: 2018-04-25 + +--- drupal7-7.14.orig/includes/bootstrap.inc ++++ drupal7-7.14/includes/bootstrap.inc +@@ -2458,6 +2458,11 @@ function _drupal_bootstrap_variables() { + unset($_GET['destination']); + unset($_REQUEST['destination']); + } ++ // Use the DrupalRequestSanitizer to ensure that the destination's query ++ // parameters are not dangerous. ++ if (isset($_GET['destination'])) { ++ DrupalRequestSanitizer::cleanDestination(); ++ } + // If there's still something in $_REQUEST['destination'] that didn't come + // from $_GET, check it too. + if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && url_is_external($_REQUEST['destination'])) { +--- drupal7-7.14.orig/includes/common.inc ++++ drupal7-7.14/includes/common.inc +@@ -601,8 +601,9 @@ function drupal_parse_url($url) { + } + // The 'q' parameter contains the path of the current page if clean URLs are + // disabled. It overrides the 'path' of the URL when present, even if clean +- // URLs are enabled, due to how Apache rewriting rules work. +- if (isset($options['query']['q'])) { ++ // URLs are enabled, due to how Apache rewriting rules work. The path ++ // parameter must be a string. ++ if (isset($options['query']['q']) && is_string($options['query']['q'])) { + $options['path'] = $options['query']['q']; + unset($options['query']['q']); + } +--- drupal7-7.14.orig/includes/request-sanitizer.inc ++++ drupal7-7.14/includes/request-sanitizer.inc +@@ -52,6 +52,38 @@ class DrupalRequestSanitizer { + } + + /** ++ * Removes the destination if it is dangerous. ++ * ++ * Note this can only be called after common.inc has been included. ++ * ++ * @return bool ++ * TRUE if the destination has been removed from $_GET, FALSE if not. ++ */ ++ public static function cleanDestination() { ++ $dangerous_keys = array(); ++ $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE); ++ ++ $parts = drupal_parse_url($_GET['destination']); ++ // If there is a query string, check its query parameters. ++ if (!empty($parts['query'])) { ++ $whitelist = variable_get('sanitize_input_whitelist', array()); ++ ++ self::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys); ++ if (!empty($dangerous_keys)) { ++ // The destination is removed rather than sanitized to mirror the ++ // handling of external destinations. ++ unset($_GET['destination']); ++ unset($_REQUEST['destination']); ++ if ($log_sanitized_keys) { ++ trigger_error(format_string('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: @keys', array('@keys' => implode(', ', $dangerous_keys)))); ++ } ++ return TRUE; ++ } ++ } ++ return FALSE; ++ } ++ ++ /** + * Strips dangerous keys from the provided input. + * + * @param mixed $input +--- drupal7-7.14.orig/modules/file/file.module ++++ drupal7-7.14/modules/file/file.module +@@ -239,6 +239,9 @@ function file_ajax_upload() { + $form_parents = func_get_args(); + $form_build_id = (string) array_pop($form_parents); + ++ // Sanitize form parents before using them. ++ $form_parents = array_filter($form_parents, 'element_child'); ++ + if (empty($_POST['form_build_id']) || $form_build_id != $_POST['form_build_id']) { + // Invalid request. + drupal_set_message(t('An unrecoverable error occurred. The uploaded file likely exceeded the maximum file size (@size) that this server supports.', array('@size' => format_size(file_upload_max_size()))), 'error'); diff -Nru drupal7-7.14/debian/patches/series drupal7-7.14/debian/patches/series --- drupal7-7.14/debian/patches/series 2018-03-29 02:17:59.000000000 +0530 +++ drupal7-7.14/debian/patches/series 2018-04-26 03:14:26.000000000 +0530 @@ -23,3 +23,4 @@ SA-CORE-2017-003 SA-CORE-2018-001.patch CVE-2018-7600.patch +CVE-2018-7602.patch
