Bug 7944 - drupal possible security issues CVE-2012-1588, CVE-2012-1589, CVE-2012-1590, CVE-2012-1591, CVE-2012-2153, and CVE-2012-2922 [mga2]
Summary: drupal possible security issues CVE-2012-1588, CVE-2012-1589, CVE-2012-1590, ...
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/500133/
Whiteboard: mga2-32-OK mga2-64-OK
Keywords: validated_update
Depends on:
Reported: 2012-11-01 14:23 CET by claire robinson
Modified: 2012-11-01 15:57 CET (History)
2 users (show)

See Also:
Source RPM: drupal
Status comment:


Description claire robinson 2012-11-01 14:23:12 CET
Split bug 5844 so drupal mga2 could be pushed.

The Mga1 update can be handled separately in that same bug.


Updated drupal packages fix security vulnerabilities:

Drupal core's text filtering system provides several features
including removing inappropriate HTML tags and automatically linking
content that appears to be a link. A pattern in Drupal's text
matching was found to be inefficient with certain specially crafted
strings. This vulnerability is mitigated by the fact that users must
have the ability to post content sent to the filter system such as a
role with the "post comments" or "Forum topic: Create new content"
permission (CVE-2012-1588).

Drupal core's Form API allows users to set a destination, but failed
to validate that the URL was internal to the site. This weakness
could be abused to redirect the login to a remote site with a
malicious script that harvests the login credentials and redirects to
the live site. This vulnerability is mitigated only by the end user's
ability to recognize a URL with malicious query parameters to avoid
the social engineering required to exploit the problem (CVE-2012-1589).

Drupal core's forum lists fail to check user access to nodes when
displaying them in the forum overview page. If an unpublished node was
the most recently updated in a forum then users who should not have
access to unpublished forum posts were still be able to see meta-data
about the forum post such as the post title (CVE-2012-1590).

Drupal core provides the ability to have private files, including
images, and Image Styles which create derivative images from an
original image that may differ, for example, in size or saturation.
Drupal core failed to properly terminate the page request for cached
image styles allowing users to access image derivatives for images
they should not be able to view. Furthermore, Drupal didn't set the
right headers to prevent image styles from being cached in the
browser (CVE-2012-1591).

Drupal core provides the ability to list nodes on a site at
admin/content. Drupal core failed to confirm a user viewing that page
had access to each node in the list. This vulnerability only concerns
sites running a contributed node access module and is mitigated by the
fact that users must have a role with the "Access the content overview
page" permission. Unpublished nodes were not displayed to users who
only had the "Access the content overview page" permission

The request_path function in includes/bootstrap.inc in Drupal 7.14 and
earlier allows remote attackers to obtain sensitive information via
the q[] parameter to index.php, which reveals the installation path in
an error message (CVE-2012-2922).

A bug in the installer code was identified that allows an attacker to
re-install Drupal using an external database server under certain
transient conditions. This could allow the attacker to execute
arbitrary PHP code on the original server (Drupal SA-CORE-2012-003).

For sites using the core OpenID module, an information disclosure
vulnerability was identified that allows an attacker to read files on
the local filesystem by attempting to log in to the site using a
malicious OpenID server (Drupal SA-CORE-2012-003).


Updated packages in core/updates_testing:


from SRPMS:
Comment 1 claire robinson 2012-11-01 14:26:58 CET
Validated on bug 5844 but needs to be pushed separately from the update for mga1.

Could sysadmin please push these mga2 packages from core/updates_testing to core/updates.


Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: (none) => mga2-32-OK mga2-64-OK
Severity: normal => critical

Comment 2 Thomas Backlund 2012-11-01 15:57:47 CET
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.