Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package drupal7 7.14-1.2 backports the patch between 7.17 and 7.18, which fixes one arbitrary code execution and one information disclosure vulnerability: http://drupal.org/SA-CORE-2012-004 I am attaching the debdiff between 7.14-1.1 (currently in testing) and this version. Thanks, unblock drupal7/7.14-1.2 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru drupal7-7.14/debian/changelog drupal7-7.14/debian/changelog --- drupal7-7.14/debian/changelog 2012-10-19 13:09:14.000000000 -0500 +++ drupal7-7.14/debian/changelog 2013-01-11 17:58:46.000000000 -0600 @@ -1,3 +1,11 @@ +drupal7 (7.14-1.2) unstable; urgency=low + + * Non-maintainer upload. + * Incorporated the fix for SA-CORE-2012-004 (the full diff between + 7.17 and 7.18) + + -- Gunnar Wolf <gw...@debian.org> Fri, 11 Jan 2013 17:57:47 -0600 + drupal7 (7.14-1.1) unstable; urgency=low * Non-maintainer upload. diff -Nru drupal7-7.14/debian/patches/50_SA-CORE-2012-004 drupal7-7.14/debian/patches/50_SA-CORE-2012-004 --- drupal7-7.14/debian/patches/50_SA-CORE-2012-004 1969-12-31 18:00:00.000000000 -0600 +++ drupal7-7.14/debian/patches/50_SA-CORE-2012-004 2013-01-11 17:56:43.000000000 -0600 @@ -0,0 +1,83 @@ +Index: drupal7-7.14/includes/file.inc +=================================================================== +--- drupal7-7.14.orig/includes/file.inc 2012-05-02 17:10:42.000000000 -0500 ++++ drupal7-7.14/includes/file.inc 2013-01-11 17:49:01.000000000 -0600 +@@ -1113,6 +1113,9 @@ + + // Allow potentially insecure uploads for very savvy users and admin + if (!variable_get('allow_insecure_uploads', 0)) { ++ // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php ++ $filename = str_replace(chr(0), '', $filename); ++ + $whitelist = array_unique(explode(' ', trim($extensions))); + + // Split the filename up by periods. The first part becomes the basename +Index: drupal7-7.14/modules/user/user.test +=================================================================== +--- drupal7-7.14.orig/modules/user/user.test 2012-05-02 17:10:42.000000000 -0500 ++++ drupal7-7.14/modules/user/user.test 2013-01-11 17:50:51.000000000 -0600 +@@ -2020,7 +2020,7 @@ + public static function getInfo() { + return array( + 'name' => 'User search', +- 'description' => 'Testing that only user with the right permission can see the email address in the user search.', ++ 'description' => 'Tests the user search page and verifies that sensitive information is hidden from unauthorized users.', + 'group' => 'User', + ); + } +@@ -2040,11 +2040,29 @@ + $edit = array('keys' => $keys); + $this->drupalPost('search/user/', $edit, t('Search')); + $this->assertText($keys); ++ ++ // Create a blocked user. ++ $blocked_user = $this->drupalCreateUser(); ++ $edit = array('status' => 0); ++ $blocked_user = user_save($blocked_user, $edit); ++ ++ // Verify that users with "administer users" permissions can see blocked ++ // accounts in search results. ++ $edit = array('keys' => $blocked_user->name); ++ $this->drupalPost('search/user/', $edit, t('Search')); ++ $this->assertText($blocked_user->name, 'Blocked users are listed on the user search results for users with the "administer users" permission.'); ++ ++ // Verify that users without "administer users" permissions do not see ++ // blocked accounts in search results. ++ $this->drupalLogin($user1); ++ $edit = array('keys' => $blocked_user->name); ++ $this->drupalPost('search/user/', $edit, t('Search')); ++ $this->assertNoText($blocked_user->name, 'Blocked users are hidden from the user search results.'); ++ + $this->drupalLogout(); + } + } + +- + /** + * Test role assignment. + */ +Index: drupal7-7.14/modules/user/user.module +=================================================================== +--- drupal7-7.14.orig/modules/user/user.module 2013-01-11 17:56:26.000000000 -0600 ++++ drupal7-7.14/modules/user/user.module 2013-01-11 17:56:39.000000000 -0600 +@@ -924,14 +924,18 @@ + $query = db_select('users')->extend('PagerDefault'); + $query->fields('users', array('uid')); + if (user_access('administer users')) { +- // Administrators can also search in the otherwise private email field. ++ // Administrators can also search in the otherwise private email field, ++ // and they don't need to be restricted to only active users. + $query->fields('users', array('mail')); + $query->condition(db_or()-> + condition('name', '%' . db_like($keys) . '%', 'LIKE')-> + condition('mail', '%' . db_like($keys) . '%', 'LIKE')); + } + else { +- $query->condition('name', '%' . db_like($keys) . '%', 'LIKE'); ++ // Regular users can only search via usernames, and we do not show them ++ // blocked accounts. ++ $query->condition('name', '%' . db_like($keys) . '%', 'LIKE') ++ ->condition('status', 1); + } + $uids = $query + ->limit(15) diff -Nru drupal7-7.14/debian/patches/series drupal7-7.14/debian/patches/series --- drupal7-7.14/debian/patches/series 2012-10-19 13:14:34.000000000 -0500 +++ drupal7-7.14/debian/patches/series 2013-01-11 17:47:21.000000000 -0600 @@ -1,3 +1,4 @@ 10_cronjob.patch 30_DFSG-sources.patch 40_SA-CORE-2012-003 +50_SA-CORE-2012-004