Hi, attached is a patch for a 0-day NMU to fix this issue. Cheers Nico
-- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
diff -u drupal6-6.12/debian/changelog drupal6-6.12/debian/changelog
--- drupal6-6.12/debian/changelog
+++ drupal6-6.12/debian/changelog
@@ -1,3 +1,14 @@
+drupal6 (6.12-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Apply upstream patch to fix:
+ - XSS in the forum module
+ - Input format access bypass via signatures
+ - Password leakage via URLs
+ (no CVE id yet; SA-CORE-2009-007; Closes: #535435).
+
+ -- Nico Golde <n...@debian.org> Mon, 06 Jul 2009 20:27:45 +0200
+
drupal6 (6.12-1) unstable; urgency=low
[ Luigi Gangitano ]
diff -u drupal6-6.12/debian/patches/00list drupal6-6.12/debian/patches/00list
--- drupal6-6.12/debian/patches/00list
+++ drupal6-6.12/debian/patches/00list
@@ -1,0 +2 @@
+20_SA-CORE-2009-007
only in patch2:
unchanged:
--- drupal6-6.12.orig/debian/patches/20_SA-CORE-2009-007.dpatch
+++ drupal6-6.12/debian/patches/20_SA-CORE-2009-007.dpatch
@@ -0,0 +1,202 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 20_SA-CORE-2009-007.dpatch by Nico Golde <n...@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: SA-CORE-2009-007 various security issues
+
+...@dpatch@
+diff -urNad drupal6-6.12~/includes/pager.inc drupal6-6.12/includes/pager.inc
+--- drupal6-6.12~/includes/pager.inc 2007-12-06 10:58:30.000000000 +0100
++++ drupal6-6.12/includes/pager.inc 2009-07-06 20:26:04.000000000 +0200
+@@ -85,7 +85,7 @@
+ function pager_get_querystring() {
+ static $string = NULL;
+ if (!isset($string)) {
+- $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page'), array_keys($_COOKIE)));
++ $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page', 'pass'), array_keys($_COOKIE)));
+ }
+ return $string;
+ }
+diff -urNad drupal6-6.12~/includes/tablesort.inc drupal6-6.12/includes/tablesort.inc
+--- drupal6-6.12~/includes/tablesort.inc 2008-01-04 10:31:48.000000000 +0100
++++ drupal6-6.12/includes/tablesort.inc 2009-07-06 20:26:04.000000000 +0200
+@@ -136,7 +136,7 @@
+ * except for those pertaining to table sorting.
+ */
+ function tablesort_get_querystring() {
+- return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order'), array_keys($_COOKIE)));
++ return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order', 'pass'), array_keys($_COOKIE)));
+ }
+
+ /**
+diff -urNad drupal6-6.12~/modules/comment/comment.module drupal6-6.12/modules/comment/comment.module
+--- drupal6-6.12~/modules/comment/comment.module 2009-05-13 19:15:10.000000000 +0200
++++ drupal6-6.12/modules/comment/comment.module 2009-07-06 20:26:04.000000000 +0200
+@@ -936,7 +936,7 @@
+
+ if ($cid && is_numeric($cid)) {
+ // Single comment view.
+- $query = 'SELECT c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.picture, u.data, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d';
++ $query = 'SELECT c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d';
+ $query_args = array($cid);
+ if (!user_access('administer comments')) {
+ $query .= ' AND c.status = %d';
+@@ -957,7 +957,7 @@
+ else {
+ // Multiple comment view
+ $query_count = 'SELECT COUNT(*) FROM {comments} c WHERE c.nid = %d';
+- $query = 'SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.picture, u.data, c.thread, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = %d';
++ $query = 'SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data, c.thread, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = %d';
+
+ $query_args = array($nid);
+ if (!user_access('administer comments')) {
+@@ -1468,7 +1468,7 @@
+ $output = '';
+
+ if ($edit['pid']) {
+- $comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $edit['pid'], COMMENT_PUBLISHED));
++ $comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $edit['pid'], COMMENT_PUBLISHED));
+ $comment = drupal_unpack($comment);
+ $comment->name = $comment->uid ? $comment->registered_name : $comment->name;
+ $output .= theme('comment_view', $comment, $node);
+@@ -1778,14 +1778,14 @@
+ function theme_comment_post_forbidden($node) {
+ global $user;
+ static $authenticated_post_comments;
+-
++
+ if (!$user->uid) {
+ if (!isset($authenticated_post_comments)) {
+ // We only output any link if we are certain, that users get permission
+ // to post comments by logging in. We also locally cache this information.
+ $authenticated_post_comments = array_key_exists(DRUPAL_AUTHENTICATED_RID, user_roles(TRUE, 'post comments') + user_roles(TRUE, 'post comments without approval'));
+ }
+-
++
+ if ($authenticated_post_comments) {
+ // We cannot use drupal_get_destination() because these links
+ // sometimes appear on /node and taxonomy listing pages.
+diff -urNad drupal6-6.12~/modules/comment/comment.pages.inc drupal6-6.12/modules/comment/comment.pages.inc
+--- drupal6-6.12~/modules/comment/comment.pages.inc 2008-02-07 19:53:38.000000000 +0100
++++ drupal6-6.12/modules/comment/comment.pages.inc 2009-07-06 20:26:04.000000000 +0200
+@@ -70,7 +70,7 @@
+ // $pid indicates that this is a reply to a comment.
+ if ($pid) {
+ // load the comment whose cid = $pid
+- if ($comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $pid, COMMENT_PUBLISHED))) {
++ if ($comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $pid, COMMENT_PUBLISHED))) {
+ // If that comment exists, make sure that the current comment and the parent comment both
+ // belong to the same parent node.
+ if ($comment->nid != $node->nid) {
+diff -urNad drupal6-6.12~/modules/forum/forum.pages.inc drupal6-6.12/modules/forum/forum.pages.inc
+--- drupal6-6.12~/modules/forum/forum.pages.inc 2007-07-26 08:48:03.000000000 +0200
++++ drupal6-6.12/modules/forum/forum.pages.inc 2009-07-06 20:26:04.000000000 +0200
+@@ -10,6 +10,11 @@
+ * Menu callback; prints a forum listing.
+ */
+ function forum_page($tid = 0) {
++ if (!is_numeric($tid)) {
++ return MENU_NOT_FOUND;
++ }
++ $tid = (int)$tid;
++
+ $topics = '';
+ $forum_per_page = variable_get('forum_per_page', 25);
+ $sortby = variable_get('forum_order', 1);
+diff -urNad drupal6-6.12~/modules/system/system.install drupal6-6.12/modules/system/system.install
+--- drupal6-6.12~/modules/system/system.install 2009-04-27 14:50:13.000000000 +0200
++++ drupal6-6.12/modules/system/system.install 2009-07-06 20:26:04.000000000 +0200
+@@ -2565,6 +2565,39 @@
+ }
+
+ /**
++ * Create a signature_format column.
++ */
++function system_update_6051() {
++ $ret = array();
++
++ if (!db_column_exists('users', 'signature_format')) {
++
++ // Set future input formats to FILTER_FORMAT_DEFAULT to ensure a safe default
++ // when incompatible modules insert into the users table. An actual format
++ // will be assigned when users save their signature.
++
++ $schema = array(
++ 'type' => 'int',
++ 'size' => 'small',
++ 'not null' => TRUE,
++ 'default' => FILTER_FORMAT_DEFAULT,
++ 'description' => 'The {filter_formats}.format of the signature.',
++ );
++
++ db_add_field($ret, 'users', 'signature_format', $schema);
++
++ // Set the format of existing signatures to the current default input format.
++ if ($current_default_filter = variable_get('filter_default_format', 0)) {
++ $ret[] = update_sql("UPDATE {users} SET signature_format = ". $current_default_filter);
++ }
++
++ drupal_set_message("User signatures no longer inherit comment input formats. Each user's signature now has its own associated format that can be selected on the user's account page. Existing signatures have been set to your site's default input format.");
++ }
++
++ return $ret;
++}
++
++/**
+ * @} End of "defgroup updates-6.x-extra"
+ * The next series of updates should start at 7000.
+ */
+diff -urNad drupal6-6.12~/modules/user/user.install drupal6-6.12/modules/user/user.install
+--- drupal6-6.12~/modules/user/user.install 2009-01-06 16:46:38.000000000 +0100
++++ drupal6-6.12/modules/user/user.install 2009-07-06 20:26:04.000000000 +0200
+@@ -191,6 +191,13 @@
+ 'default' => '',
+ 'description' => "User's signature.",
+ ),
++ 'signature_format' => array(
++ 'type' => 'int',
++ 'size' => 'small',
++ 'not null' => TRUE,
++ 'default' => 0,
++ 'description' => 'The {filter_formats}.format of the signature.',
++ ),
+ 'created' => array(
+ 'type' => 'int',
+ 'not null' => TRUE,
+diff -urNad drupal6-6.12~/modules/user/user.module drupal6-6.12/modules/user/user.module
+--- drupal6-6.12~/modules/user/user.module 2009-04-27 14:02:27.000000000 +0200
++++ drupal6-6.12/modules/user/user.module 2009-07-06 20:26:04.000000000 +0200
+@@ -532,7 +532,7 @@
+ }
+ else {
+ // Make sure we return the default fields at least.
+- $fields = array('uid', 'name', 'pass', 'mail', 'picture', 'mode', 'sort', 'threshold', 'theme', 'signature', 'created', 'access', 'login', 'status', 'timezone', 'language', 'init', 'data');
++ $fields = array('uid', 'name', 'pass', 'mail', 'picture', 'mode', 'sort', 'threshold', 'theme', 'signature', 'signature_format', 'created', 'access', 'login', 'status', 'timezone', 'language', 'init', 'data');
+ }
+ }
+
+@@ -1519,6 +1519,15 @@
+ '#default_value' => $edit['signature'],
+ '#description' => t('Your signature will be publicly displayed at the end of your comments.'),
+ );
++
++ // Prevent a "validation error" message when the user attempts to save with a default value they
++ // do not have access to.
++ if (!filter_access($edit['signature_format']) && empty($_POST)) {
++ drupal_set_message(t("The signature input format has been set to a format you don't have access to. It will be changed to a format you have access to when you save this page."));
++ $edit['signature_format'] = FILTER_FORMAT_DEFAULT;
++ }
++
++ $form['signature_settings']['signature_format'] = filter_form($edit['signature_format'], NULL, array('signature_format'));
+ }
+
+ // Picture/avatar:
+@@ -2031,7 +2040,7 @@
+ // Validate signature.
+ if ($op == 'view') {
+ if (variable_get('user_signatures', 0) && !empty($comment->signature)) {
+- $comment->signature = check_markup($comment->signature, $comment->format);
++ $comment->signature = check_markup($comment->signature, $comment->signature_format, FALSE);
+ }
+ else {
+ $comment->signature = '';
pgpU0hBG9rXd7.pgp
Description: PGP signature
