Bug 14298 - drupal new security issue CVE-2014-3704
Summary: drupal new security issue CVE-2014-3704
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/616445/
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-10-15 22:10 CEST by David Walser
Modified: 2014-10-25 22:23 CEST (History)
5 users (show)

See Also:
Source RPM: drupal-7.31-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-10-15 22:10:12 CEST
An advisory has been issued today (October 15):
http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

Mageia 3 and Mageia 4 are also affected.

The update is checked into SVN and a freeze push has been requested for Cauldron.

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-15 22:10:18 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-10-16 13:58:05 CEST
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory to come later.  For now see the reference in Comment 0.

drupal-7.32-1.mga3.src.rpm
drupal-7.32-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 David Walser 2014-10-16 16:46:20 CEST
Debian has issued an advisory for this on October 15:
http://www.debian.org/security/2014/dsa-3051

This is highly critical and should be considered a priority update.

Advisory:
========================

Updated drupal packages fix security vulnerability:

An SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal
core handles prepared statements. A malicious user can inject arbitrary SQL
queries, and thereby completely control the Drupal site. This vulnerability
can be exploited by remote attackers without any kind of authentication
required (CVE-2014-3704).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
https://www.drupal.org/SA-CORE-2014-005
https://www.drupal.org/drupal-7.31
https://www.drupal.org/drupal-7.31-release-notes
http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
http://www.debian.org/security/2014/dsa-3051
========================

Updated packages in core/updates_testing:
========================
drupal-7.32-1.mga3
drupal-mysql-7.32-1.mga3
drupal-postgresql-7.32-1.mga3
drupal-sqlite-7.32-1.mga3
drupal-7.32-1.mga4
drupal-mysql-7.32-1.mga4
drupal-postgresql-7.32-1.mga4
drupal-sqlite-7.32-1.mga4

from SRPMS:
drupal-7.32-1.mga3.src.rpm
drupal-7.32-1.mga4.src.rpm
David Walser 2014-10-16 18:09:54 CEST

URL: (none) => http://lwn.net/Vulnerabilities/616445/

Comment 3 David Walser 2014-10-16 18:33:33 CEST
Correcting the 7.31/7.32 links in the advisory.


Advisory:
========================

Updated drupal packages fix security vulnerability:

An SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal
core handles prepared statements. A malicious user can inject arbitrary SQL
queries, and thereby completely control the Drupal site. This vulnerability
can be exploited by remote attackers without any kind of authentication
required (CVE-2014-3704).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
https://www.drupal.org/SA-CORE-2014-005
https://www.drupal.org/drupal-7.32
https://www.drupal.org/drupal-7.32-release-notes
http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
http://www.debian.org/security/2014/dsa-3051
========================

Updated packages in core/updates_testing:
========================
drupal-7.32-1.mga3
drupal-mysql-7.32-1.mga3
drupal-postgresql-7.32-1.mga3
drupal-sqlite-7.32-1.mga3
drupal-7.32-1.mga4
drupal-mysql-7.32-1.mga4
drupal-postgresql-7.32-1.mga4
drupal-sqlite-7.32-1.mga4

from SRPMS:
drupal-7.32-1.mga3.src.rpm
drupal-7.32-1.mga4.src.rpm
Comment 4 olivier charles 2014-10-17 22:23:26 CEST
Testing on Mageia4-64 real hardware.

As I didn't know if there was anything specific to test, I installed updated-testing packages as listed and then installed drupal following installation guide found here :
https://www.drupal.org/documentation/install.


With MCC :

- drupal-7.32-1.mga4.noarch
- drupal-mysql-7.32-1.mga4.noarch
- drupal-postgresql-7.32-1.mga4.noarch
- drupal-sqlite-7.32-1.mga4.noarch
- php-pdo_mysql-5.5.16-1.mga4.x86_64
- php-pdo_pgsql-5.5.16-1.mga4.x86_64
- php-pdo_sqlite-5.5.16-1.mga4.x86_64
- php-uploadprogress-1.0.3.1-7.mga4.x86_64

Created a database in command line :

# mysqladmin -u root -p create drupzitoun
# mysql -u root -p
> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON drupzitoun.* TO 'root'@'localhost' IDENTIFIED BY 'password';
> exit

Set up drupal

# cd /usr/share/drupal
# cp sites/default/default.settings.php sites/default/settings.php
# chmod a+w sites/default/settings.php
chmod a+w sites/default

In firefox web browser :

http://http://localhost/drupal/install.php

Followed installation steps :

Drupal
Installation tasks

    Choose profile(done)
    Choose language(done)
    Verify requirements(done)
    Set up database(done)
    Install profile

All necessary changes to sites/default and sites/default/settings.php have been made, so you should remove write permissions to them now in order to avoid security risks. If you are unsure how to do so, consult the online handbook.

# chmod 644 sites/default/settings.php
# cd sites
# chmod 755 default

Drupal installed without any problem.

Then, connected to http://drupal which opened a start page where I created articles, menus, links, installed modules, logged out, logged back in, edit, deleted articles ...

Everything went well.

If there is any other step to follow, I'll be happy to do it for further testing.

CC: (none) => olchal

Comment 5 David Walser 2014-10-17 23:34:03 CEST
That's sufficient, thanks Olivier.
Comment 6 Rémi Verschelde 2014-10-18 14:11:57 CEST
See comment 4 and https://bugs.mageia.org/show_bug.cgi?id=13271#c16 for testing procedures.

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 7 Lewis Smith 2014-10-19 08:37:42 CEST
I am trying this also M4 x64 using PostgreSQL, but after installing & configuring Drupal from normal repos (thanks to Olivier for his excellent instructions in Comment 4), I am having problems with Updates Testing which (among a raft of updates) does not show Drupal at all. Have tried twice at both sides of a night,
 # urpmi.update "Core Updates Testing" yields the 'aria2' error. Will try again, tonight.

CC: (none) => lewyssmith

Comment 8 Lewis Smith 2014-10-19 21:10:47 CEST
M4 x64 using PostgreSQL.
Eventually managed to update Drupal to:
 drupal-postgresql-7.32-1.mga4
 drupal-7.32-1.mga4
Re-launched it, played a little bit (being clueless about it), it worked OK as before the update. Edited a page, changed a picture. *Much* less than Comment 4.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Comment 9 olivier charles 2014-10-21 10:13:18 CEST
Testing on Mageia4-32, real HW

First installing normal packages :

- drupal-7.31-1.mga4.noarch
- drupal-mysql-7.31-1.mga4.noarch
- php-pdo_mysql-5.5.16-1.mga4.i586
- php-uploadprogress-1.0.3.1-7.mga4.i586

Set up drupal as before using mysql(comment 4)

Everything OK (installation, basic usage)


Updating to drupal-testing :
- drupal-7.32-1.mga4.noarch
- drupal-mysql-7.32-1.mga4.noarch

Connected to http://localhost/drupal
Found my first project, basic usage ok.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32 OK

olivier charles 2014-10-21 10:13:53 CEST

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32 OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK

Comment 10 Rémi Verschelde 2014-10-23 11:14:53 CEST
Advisory uploaded, ready to be pushed once it's been tested on Mageia 3.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK advisory

Comment 11 Otto Leipälä 2014-10-23 16:51:48 CEST
I can test Mageia 3.

CC: (none) => ozkyster

Comment 12 Otto Leipälä 2014-10-23 19:23:12 CEST
I try to test it but i get several errors in terminal mysql:
I cannot set mysql root password even try to edit file /etc/my.cnf.

mysqladmin -u root password '*********':

mysqladmin: connect to server at 'localhost' failed
error: 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)'
Check that mysqld is running and that the socket: '/var/lib/mysql/mysql.sock' exists!

Is this because of virtualbox ?.
Comment 13 Rémi Verschelde 2014-10-23 19:26:55 CEST
Did you start mysqld with: systemctl start mysqld ?

If you're stuck with mariadb you can have a look at some instructions I wrote here, that might help you change the password if you forgot it: https://bugs.mageia.org/show_bug.cgi?id=14208#c6
Comment 14 Otto Leipälä 2014-10-24 17:10:03 CEST
Mageia 3 testing done it no any problems found i validated update.
Sysadmin please push this update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK advisory => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK advisory

Comment 15 Mageia Robot 2014-10-25 22:23:41 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0423.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.