Bug 13271 - drupal new security issues CVE-2014-2983, CVE-2014-5019, and CVE-2014-502[0-2]
Summary: drupal new security issues CVE-2014-2983, CVE-2014-5019, and CVE-2014-502[0-2]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/596581/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-04-26 19:15 CEST by David Walser
Modified: 2014-08-08 16:25 CEST (History)
5 users (show)

See Also:
Source RPM: drupal-7.26-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-04-26 19:15:57 CEST
Drupal 7.27 was announced on April 16, fixing security issues:
https://drupal.org/drupal-7.27
https://drupal.org/drupal-7.27-release-notes

The upstream security advisory is here:
https://drupal.org/SA-CORE-2014-002

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-26 19:16:08 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-04-28 19:03:21 CEST
Debian has issued an advisory for this on April 25:
https://www.debian.org/security/2014/dsa-2913

URL: (none) => http://lwn.net/Vulnerabilities/596581/

Comment 2 David Walser 2014-05-09 03:55:43 CEST
Drupal 7.28 bugfix release is out:
http://freecode.com/projects/drupal/releases/363572
Comment 3 Thomas Backlund 2014-05-17 12:36:59 CEST
in progress...

CC: (none) => tmb

Comment 4 Thomas Backlund 2014-05-17 13:02:30 CEST
Cauldron, mga4 and mga packages built.


rpms to test...

mga4:

SRPM:
drupal-7.28-1.mga4.src.rpm

i586:
drupal-7.28-1.mga4.noarch.rpm
drupal-mysql-7.28-1.mga4.noarch.rpm
drupal-postgresql-7.28-1.mga4.noarch.rpm
drupal-sqlite-7.28-1.mga4.noarch.rpm

x86_64:
drupal-7.28-1.mga4.noarch.rpm
drupal-mysql-7.28-1.mga4.noarch.rpm
drupal-postgresql-7.28-1.mga4.noarch.rpm
drupal-sqlite-7.28-1.mga4.noarch.rpm



mga3:

SRPM:
drupal-7.28-1.mga3.src.rpm

i586:
drupal-7.28-1.mga3.noarch.rpm
drupal-mysql-7.28-1.mga3.noarch.rpm
drupal-postgresql-7.28-1.mga3.noarch.rpm
drupal-sqlite-7.28-1.mga3.noarch.rpm

x86_64:
drupal-7.28-1.mga3.noarch.rpm
drupal-mysql-7.28-1.mga3.noarch.rpm
drupal-postgresql-7.28-1.mga3.noarch.rpm
drupal-sqlite-7.28-1.mga3.noarch.rpm

Hardware: i586 => All
Version: Cauldron => 4
Assignee: fundawang => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 5 David Walser 2014-05-17 13:32:57 CEST
Thanks Thomas!

Advisory:
========================

Updated drupal packages fix security vulnerability:

An information disclosure vulnerability was discovered in Drupal before 7.27.
When pages are cached for anonymous users, form state may leak between
anonymous users. Sensitive or private information recorded for one anonymous
user could thus be disclosed to other users interacting with the same form at
the same time (CVE-2014-2983).

Drupal has been updated to version 7.28, fixing this and other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2983
https://drupal.org/SA-CORE-2014-002
https://drupal.org/drupal-7.27
https://drupal.org/drupal-7.27-release-notes
https://drupal.org/drupal-7.28
http://drupal.org/drupal-7.28-release-notes
https://www.debian.org/security/2014/dsa-2913
Comment 6 claire robinson 2014-05-19 14:34:59 CEST
Procedure in bug 8442.

Currently testing mga3 32

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 7 claire robinson 2014-05-19 15:14:42 CEST
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok

Comment 8 claire robinson 2014-05-19 15:26:08 CEST
Testing mga3 64 next.
Comment 9 claire robinson 2014-05-19 15:48:22 CEST
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

Comment 10 claire robinson 2014-05-19 18:30:19 CEST
Testing mga4 32

Didn't notice this on upgraded installations but when testing with a mysql database I installed directly with the update candidate. It was all OK until I logged out. It at first showed connection reset, then after a refresh and attempted logout again it showed..

Fatal error: Cannot call overloaded function for non-object in /usr/share/drupal/includes/database/query.inc on line 331


/var/log/httpd/error_log shows this..

[Mon May 19 17:21:22.369728 2014] [core:notice] [pid 8625] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon May 19 17:23:35.522872 2014] [core:notice] [pid 8625] AH00052: child pid 8630 exit signal Segmentation fault (11)
[Mon May 19 17:23:35.522972 2014] [core:notice] [pid 8625] AH00052: child pid 8687 exit signal Segmentation fault (11)
[Mon May 19 17:23:35.523007 2014] [core:notice] [pid 8625] AH00052: child pid 8689 exit signal Segmentation fault (11)
[Mon May 19 17:23:36.524093 2014] [core:notice] [pid 8625] AH00052: child pid 8632 exit signal Segmentation fault (11)
[Mon May 19 17:23:36.524254 2014] [core:notice] [pid 8625] AH00052: child pid 8730 exit signal Segmentation fault (11)
[Mon May 19 17:23:39.526479 2014] [core:notice] [pid 8625] AH00052: child pid 8628 exit signal Segmentation fault (11)
zend_mm_heap corrupted
[Mon May 19 17:23:50.866243 2014] [:error] [pid 8733] [client 127.0.0.1:38614] PHP Fatal error:  Cannot call overloaded function for non-object in /usr/share/drupal/includes/database/query.inc on line 331, referer: http://localhost/drupal/

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure feedback mga3-32-ok mga3-64-ok

Comment 11 David Walser 2014-05-19 18:47:58 CEST
Some Googling shows that this zend_mm_heap corrupted thing with Drupal is a pretty common problem and has been for years apparently.  There are a zillion different suggestions out there, like disabling opcache or apc and increasing the output_buffering value in php.ini.  It certainly hasn't been hard to find PHP crasher bugs on Mageia 4 :o(

As for the query.inc thing, that sounds like a Drupal bug.  I suppose we could see if they fix it in 7.29?
Comment 12 claire robinson 2014-05-23 13:21:30 CEST
Assigning back to you for now David. Please reassign when you're ready. Thanks.

CC: (none) => qa-bugs
Assignee: qa-bugs => luigiwalser
Whiteboard: MGA3TOO has_procedure feedback mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

Comment 13 David Walser 2014-07-22 16:26:44 CEST
Upstream has issued an advisory on July 16:
https://www.drupal.org/SA-CORE-2014-003

The issues are fixed in 7.29.

Debian has issued an advisory for this on July 20:
https://www.debian.org/security/2014/dsa-2983

LWN reference:
http://lwn.net/Vulnerabilities/606068/

CVE request:
http://openwall.com/lists/oss-security/2014/07/21/5

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated drupal packages fix security vulnerability:

An information disclosure vulnerability was discovered in Drupal before 7.27.
When pages are cached for anonymous users, form state may leak between
anonymous users. Sensitive or private information recorded for one anonymous
user could thus be disclosed to other users interacting with the same form at
the same time (CVE-2014-2983).

Multiple security issues in Drupal before 7.29, including a denial of service
issue, an access bypass issue in the File module, and multiple cross-site
scripting issues (SA-CORE-2014-003).

Drupal has been updated to version 7.29, fixing this and other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2983
https://drupal.org/SA-CORE-2014-002
https://drupal.org/SA-CORE-2014-003
https://drupal.org/drupal-7.27
https://drupal.org/drupal-7.27-release-notes
https://drupal.org/drupal-7.28
http://drupal.org/drupal-7.28-release-notes
https://drupal.org/drupal-7.29
http://drupal.org/drupal-7.29-release-notes
https://www.debian.org/security/2014/dsa-2913
https://www.debian.org/security/2014/dsa-2983
========================

Updated packages in core/updates_testing:
========================
drupal-7.29-1.mga3
drupal-mysql-7.29-1.mga3
drupal-postgresql-7.29-1.mga3
drupal-sqlite-7.29-1.mga3
drupal-7.29-1.mga4
drupal-mysql-7.29-1.mga4
drupal-postgresql-7.29-1.mga4
drupal-sqlite-7.29-1.mga4

from SRPMS:
drupal-7.29-1.mga3.src.rpm
drupal-7.29-1.mga4.src.rpm

CC: qa-bugs => (none)
Assignee: luigiwalser => qa-bugs
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure
Severity: major => critical

Comment 14 David Walser 2014-07-23 21:42:42 CEST
MITRE says CVEs were already assigned to the SA-CORE-2014-003 issues:
http://openwall.com/lists/oss-security/2014/07/23/12

Updated advisory.

Advisory:
========================

Updated drupal packages fix security vulnerability:

An information disclosure vulnerability was discovered in Drupal before 7.27.
When pages are cached for anonymous users, form state may leak between
anonymous users. Sensitive or private information recorded for one anonymous
user could thus be disclosed to other users interacting with the same form at
the same time (CVE-2014-2983).

Multiple security issues in Drupal before 7.29, including a denial of service
issue, an access bypass issue in the File module, and multiple cross-site
scripting issues (CVE-2014-5019, CVE-2014-5020, CVE-2014-5021, CVE-2014-5022).

Drupal has been updated to version 7.29, fixing this and other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5019
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5022
https://drupal.org/SA-CORE-2014-002
https://drupal.org/SA-CORE-2014-003
https://drupal.org/drupal-7.27
https://drupal.org/drupal-7.27-release-notes
https://drupal.org/drupal-7.28
http://drupal.org/drupal-7.28-release-notes
https://drupal.org/drupal-7.29
http://drupal.org/drupal-7.29-release-notes
https://www.debian.org/security/2014/dsa-2913
https://www.debian.org/security/2014/dsa-2983

Summary: drupal new security issue CVE-2014-2983 => drupal new security issues CVE-2014-2983, CVE-2014-5019, and CVE-2014-502[0-2]

Comment 15 Lewis Smith 2014-08-02 22:33:04 CEST
Just to say that I am wrestling with installing Drupal MGA4 64-bit with a view to trying the update. Have got it basically installed, but not yet working.
To keep this update 'alive'.

CC: (none) => lewyssmith

Comment 16 claire robinson 2014-08-05 18:22:48 CEST
Testing complete mga4 64

As with most webapps it needs a database. drupal can use sqlite, mysql (mariadb) or postgresql. Once the package is installed and a database created, further configuration takes place at http://localhost/drupal

Installing the current package then updating to the testing version and ensuring it still works.

mysql
=====
# urpmi drupal
In order to satisfy the 'drupal-database-storage[== 7.26-1.mga4]' dependency, one of the following packages is needed:
 1- drupal-mysql-7.26-1.mga4.noarch: mysql storage for drupal (to install)
 2- drupal-postgresql-7.26-1.mga4.noarch: postgresql storage for drupal (to install)
 3- drupal-sqlite-7.26-1.mga4.noarch: sqlite storage for drupal (to install)
What is your choice? (1-3) 1

Use phpmyadmin to create a mysql user/password and database, or use command line as below. I generally use 'drupal' for each of these as it's only temporary and not open to t'internet.

# mysql -p
Enter password: <<-- this is the mysql root passwd, not system root passwd
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 95
Server version: 5.5.38-MariaDB Mageia MariaDB Server

Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create user drupal@localhost identified by 'drupal';
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> create database drupal;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on drupal.* to drupal@localhost;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit
Bye

Browse to http://localhost/drupal and begin the configuration. Choose mysql as the database type and enter the details there. When configuration is completed add some site content and upload an image, update it and check it again. I usually untick the option to send site emails.

Remove drupal and clear the database and configuration.

# urpme drupal
# rm -rf /etc/drupal
# mysql -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 176
Server version: 5.5.38-MariaDB Mageia MariaDB Server

Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> drop user drupal@localhost;
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> drop database drupal;
Query OK, 73 rows affected (0.36 sec)

MariaDB [(none)]> exit
Bye


postgresql
==========
# urpmi drupal
In order to satisfy the 'drupal-database-storage[== 7.29-1.mga4]' dependency, one of the following packages is needed:
 1- drupal-mysql-7.29-1.mga4.noarch: mysql storage for drupal (to install)
 2- drupal-postgresql-7.29-1.mga4.noarch: postgresql storage for drupal (to install)
 3- drupal-sqlite-7.29-1.mga4.noarch: sqlite storage for drupal (to install)
What is your choice? (1-3) 2

I installed the update candidate directly this time. It installs lib64pq9.3_5 which is a postgresql lib. postgresql is version dependent so install the matching postgresql9.3-server package and start the service.

# urpmi postgresql9.3-server
# service postgresql start

Create a database in postgresql weirdness. You first change to user postgres. 

# su - postgres
$ createuser --pwprompt --encrypted --no-adduser drupal
Enter password for new role: 
Enter it again: 
$ createdb --encoding=UNICODE --template=template0 --owner=drupal drupal
$ exit
logout
#

Then browse to http://localhost/drupal and complete the configuration, this time selecting postgresql database type. Add an article with an image.

Remove drupal and clean up again..

# urpme drupal
# rm -rf /etc/drupal
# su - postgres
$ dropdb drupal
$ dropuser drupal
exit
# urpme postgresql9.3-server


sqlite
======
# urpmi drupal
In order to satisfy the 'drupal-database-storage[== 7.29-1.mga4]' dependency, one of the following packages is needed:
 1- drupal-mysql-7.29-1.mga4.noarch: mysql storage for drupal (to install)
 2- drupal-postgresql-7.29-1.mga4.noarch: postgresql storage for drupal (to install)
 3- drupal-sqlite-7.29-1.mga4.noarch: sqlite storage for drupal (to install)
What is your choice? (1-3) 3

Then browse to http://localhost/drupal and choose sqlite database

For some reason this sometimes fails, causing apache segfaults. Likely php-suhosin again. Restarting (rather than reloading) apache cures it.

Tested with current and updated to testing again.

Remove drupal and clean up..

# urpme drupal
# rm -rf /var/lib/drupal/
# rm -rf /etc/drupal

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Comment 17 Rémi Verschelde 2014-08-05 20:34:14 CEST
Testing complete on Mageia 3 32bit following the detailed procedure in comment 16. Thanks for this Claire :-)

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 18 Rémi Verschelde 2014-08-05 22:46:53 CEST
Advisory uploaded.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok advisory

Comment 19 claire robinson 2014-08-06 17:18:42 CEST
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok advisory => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok advisory

Comment 20 claire robinson 2014-08-07 18:14:59 CEST
Testing complete mga4 32

Validating. Advisory already uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok advisory => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisory
CC: (none) => sysadmin-bugs

Comment 21 Pascal Terjan 2014-08-07 19:03:20 CEST
http://advisories.mageia.org/MGASA-2014-0322.html

CC: (none) => pterjan

Comment 22 Pascal Terjan 2014-08-07 19:03:55 CEST
.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 23 David Walser 2014-08-08 16:25:52 CEST
LWN reference for the CVEs fixed in SA-CORE-2014-003 / Drupal 7.29:
http://lwn.net/Vulnerabilities/608201/

Note You need to log in before you can comment on or make changes to this bug.