diff -u drupal5-5.7/debian/patches/00list drupal5-5.7/debian/patches/00list --- drupal5-5.7/debian/patches/00list +++ drupal5-5.7/debian/patches/00list @@ -13,0 +14,2 @@ +23_SA-CORE-2010-001 +24_SA-CORE-2010-002 diff -u drupal5-5.7/debian/changelog drupal5-5.7/debian/changelog --- drupal5-5.7/debian/changelog +++ drupal5-5.7/debian/changelog @@ -1,3 +1,14 @@ +drupal5 (5.7-1ubuntu1.3) hardy-security; urgency=low + + * SECURITY UPDATE: Multiple vulnerabilities and weaknesses were + discovered in Drupal (LP: #539056). + - CVE-2010-3092 + - CVE-2010-3093 + - SA-CORE-2010-001 + - SA-CORE-2010-002 + + -- Artur Rona Mon, 27 Dec 2010 22:35:21 +0100 + drupal5 (5.7-1ubuntu1.2) hardy-security; urgency=low * SECURITY UPDATE: Multiple vulnerabilities and weaknesses diff -u drupal5-5.7/debian/control drupal5-5.7/debian/control --- drupal5-5.7/debian/control +++ drupal5-5.7/debian/control @@ -1,7 +1,7 @@ Source: drupal5 Section: web Priority: extra -Maintainer: Ubuntu MOTU Developers +Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Luigi Gangitano Build-Depends: debhelper (>= 4), dpatch Standards-Version: 3.7.3 only in patch2: unchanged: --- drupal5-5.7.orig/debian/patches/24_SA-CORE-2010-002.dpatch +++ drupal5-5.7/debian/patches/24_SA-CORE-2010-002.dpatch @@ -0,0 +1,60 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## From: Artur Rona +## Description: Multiple vulnerabilities and weaknesses were discovered in Drupal. +## Bug: http://drupal.org/node/880476 +## Bug-Ubuntu: https://launchpad.net/bugs/539056 +## Origin: upstream, http://git.drupalfr.org/cgi-bin/gitweb.cgi?p=core/new-date.git;a=commitdiff;h=081fe4e80161861614d7672350e220d96d5f32cf;hp=bf60f363027a4e452b11824d3305279e5a3eb4fb +## Forwarded: not-needed +## Author: Drupal security team + +@DPATCH@ + +diff -pruN -x '*~' drupal5-5.18.orig/modules/comment/comment.module drupal5-5.18/modules/comment/comment.module +--- drupal5-5.18.orig/modules/comment/comment.module 2009-04-29 20:32:15.000000000 +0200 ++++ drupal5-5.18/modules/comment/comment.module 2010-12-27 21:44:52.000000000 +0100 +@@ -575,7 +575,7 @@ function comment_access($op, $comment) { + global $user; + + if ($op == 'edit') { +- return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0) || user_access('administer comments'); ++ return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0 && $comment->status == COMMENT_PUBLISHED) || user_access('administer comments'); + } + } + +diff -pruN -x '*~' drupal5-5.18.orig/modules/upload/upload.module drupal5-5.18/modules/upload/upload.module +--- drupal5-5.18.orig/modules/upload/upload.module 2008-10-08 22:10:26.000000000 +0200 ++++ drupal5-5.18/modules/upload/upload.module 2010-12-27 21:44:52.000000000 +0100 +@@ -259,9 +259,15 @@ function upload_download() { + } + + function upload_file_download($file) { +- $file = file_create_path($file); +- $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $file); +- if ($file = db_fetch_object($result)) { ++ $filepath = file_create_path($file); ++ $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $filepath); ++ while ($file = db_fetch_object($result)) { ++ if ($filepath !== $file->filepath) { ++ // Since some database servers sometimes use a case-insensitive ++ // comparison by default, double check that the filename is an exact ++ // match. ++ continue; ++ } + if (user_access('view uploaded files')) { + $node = node_load($file->nid); + if (node_access('view', $node)) { +@@ -271,13 +277,8 @@ function upload_file_download($file) { + 'Content-Length: '. $file->filesize, + ); + } +- else { +- return -1; +- } +- } +- else { +- return -1; + } ++ return -1; + } + } + only in patch2: unchanged: --- drupal5-5.7.orig/debian/patches/23_SA-CORE-2010-001.dpatch +++ drupal5-5.7/debian/patches/23_SA-CORE-2010-001.dpatch @@ -0,0 +1,183 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## From: Artur Rona +## Description: Multiple vulnerabilities and weaknesses were discovered in Drupal. +## Bug: http://drupal.org/node/731710 +## Bug-Ubuntu: https://launchpad.net/bugs/539056 +## Origin: upstream, http://drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-5.21.patch +## Forwarded: not-needed +## Author: Drupal security team + +@DPATCH@ + +diff -pruN -x '*~' drupal5-5.7.orig/includes/common.inc drupal5-5.7/includes/common.inc +--- drupal5-5.7.orig/includes/common.inc 2008-01-22 10:36:49.000000000 +0100 ++++ drupal5-5.7/includes/common.inc 2010-12-27 22:52:21.000000000 +0100 +@@ -293,11 +293,22 @@ function drupal_get_destination() { + * @see drupal_get_destination() + */ + function drupal_goto($path = '', $query = NULL, $fragment = NULL, $http_response_code = 302) { ++ ++ $destination = FALSE; + if (isset($_REQUEST['destination'])) { +- extract(parse_url(urldecode($_REQUEST['destination']))); ++ $destination = $_REQUEST['destination']; + } + else if (isset($_REQUEST['edit']['destination'])) { +- extract(parse_url(urldecode($_REQUEST['edit']['destination']))); ++ $destination = $_REQUEST['edit']['destination']; ++ } ++ ++ if ($destination) { ++ // Do not redirect to an absolute URL originating from user input. ++ $colonpos = strpos($destination, ':'); ++ $absolute = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($destination, 0, $colonpos))); ++ if (!$absolute) { ++ extract(parse_url(urldecode($destination))); ++ } + } + + $url = url($path, $query, $fragment, TRUE); +diff -pruN -x '*~' drupal5-5.7.orig/includes/locale.inc drupal5-5.7/includes/locale.inc +--- drupal5-5.7.orig/includes/locale.inc 2007-12-17 02:53:52.000000000 +0100 ++++ drupal5-5.7/includes/locale.inc 2010-12-27 22:52:21.000000000 +0100 +@@ -41,6 +41,9 @@ function _locale_admin_manage_screen() { + $options = array(); + $form['name'] = array('#tree' => TRUE); + foreach ($languages['name'] as $key => $lang) { ++ // Language code should contain no markup, but is emitted ++ // by radio and checkbox options. ++ $key = check_plain($key); + $options[$key] = ''; + $status = db_fetch_object(db_query("SELECT isdefault, enabled FROM {locales_meta} WHERE locale = '%s'", $key)); + if ($status->enabled) { +@@ -97,6 +100,14 @@ function theme_locale_admin_manage_scree + return $output; + } + ++function _locale_admin_manage_screen_validate($form_id, $form_values) { ++ foreach ($form_values['name'] as $key => $value) { ++ if (preg_match('/["<>\']/', $value)) { ++ form_set_error('name][' . $key, t('The characters <, >, " and \' are not allowed in the language name in English field.')); ++ } ++ } ++} ++ + /** + * Process locale admin manager form submissions. + */ +@@ -184,12 +195,22 @@ function locale_add_language_form_valida + form_set_error(t('The language %language (%code) already exists.', array('%language' => $form_values['langname'], '%code' => $form_values['langcode']))); + } + ++ // If we are adding a non-custom language, check for a valid langcode. + if (!isset($form_values['langname'])) { + $isocodes = _locale_get_iso639_list(); + if (!isset($isocodes[$form_values['langcode']])) { + form_set_error('langcode', t('Invalid language code.')); + } + } ++ // Otherwise, check for invlaid characters ++ else { ++ if (preg_match('/["<>\']/', $form_values['langcode'])) { ++ form_set_error('langcode', t('The characters <, >, " and \' are not allowed in the language code field.')); ++ } ++ if (preg_match('/["<>\']/', $form_values['langname'])) { ++ form_set_error('langname', t('The characters <, >, " and \' are not allowed in the language name in English field.')); ++ } ++ } + } + + /** +@@ -331,8 +352,14 @@ function _locale_export_po_form_submit($ + function _locale_string_seek_form() { + // Get *all* languages set up + $languages = locale_supported_languages(FALSE, TRUE); +- asort($languages['name']); unset($languages['name']['en']); +- $languages['name'] = array_map('check_plain', $languages['name']); ++ unset($languages['name']['en']); ++ // Sanitize the values to be used in radios. ++ $languages_name = array(); ++ foreach ($languages['name'] as $key => $value) { ++ $languages_name[check_plain($key)] = check_plain($value); ++ } ++ $languages['name'] = $languages_name; ++ asort($languages['name']); + + // Present edit form preserving previous user settings + $query = _locale_string_seek_query(); +diff -pruN -x '*~' drupal5-5.7.orig/includes/session.inc drupal5-5.7/includes/session.inc +--- drupal5-5.7.orig/includes/session.inc 2007-07-26 21:16:45.000000000 +0200 ++++ drupal5-5.7/includes/session.inc 2010-12-27 22:57:21.000000000 +0100 +@@ -31,8 +31,9 @@ function sess_read($key) { + // Otherwise, if the session is still active, we have a record of the client's session in the database. + $user = db_fetch_object(db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s'", $key)); + +- // We found the client's session record and they are an authenticated user +- if ($user && $user->uid > 0) { ++ // We found the client's session record and they are an authenticated, ++ // active user. ++ if ($user && $user->uid > 0 && $user->status == 1) { + // This is done to unserialize the data member of $user + $user = drupal_unpack($user); + +@@ -44,7 +45,8 @@ function sess_read($key) { + $user->roles[$role->rid] = $role->name; + } + } +- // We didn't find the client's record (session has expired), or they are an anonymous user. ++ // We didn't find the client's record (session has expired), or they are ++ // blocked, or they are an anonymous user. + else { + $session = isset($user->session) ? $user->session : ''; + $user = drupal_anonymous_user($session); +diff -pruN -x '*~' drupal5-5.7.orig/modules/locale/locale.install drupal5-5.7/modules/locale/locale.install +--- drupal5-5.7.orig/modules/locale/locale.install 2006-11-14 07:20:40.000000000 +0100 ++++ drupal5-5.7/modules/locale/locale.install 2010-12-27 22:52:21.000000000 +0100 +@@ -85,3 +85,23 @@ function locale_uninstall() { + db_query('DROP TABLE {locales_source}'); + db_query('DROP TABLE {locales_target}'); + } ++ ++/** ++ * Neutralize unsafe language names in the database. ++ */ ++function locale_update_1() { ++ $ret = array(); ++ $matches = db_result(db_query("SELECT 1 FROM {locales_meta} WHERE name LIKE '%<%' OR name LIKE '%>%'")); ++ if ($matches) { ++ $ret[] = update_sql("UPDATE {locales_meta} SET name = REPLACE(name, '<', '')"); ++ $ret[] = update_sql("UPDATE {locales_meta} SET name = REPLACE(name, '>', '')"); ++ drupal_set_message('The language name in English of all the existing custom languages of your site have been sanitized for security purposes. Visit the Languages page to check these and fix them if necessary.', 'warning'); ++ } ++ // Check if some langcode values contain potentially dangerous characters and ++ // warn the user if so. These are not fixed since they are referenced in other ++ // tables (e.g. {node}). ++ if (db_result(db_query("SELECT 1 FROM {locales_meta} WHERE locale LIKE '%<%' OR locale LIKE '%>%' OR locale LIKE '%\"%' OR locale LIKE '%\\\\\%'"))) { ++ drupal_set_message('Some of your custom language code values contain invalid characters. You should examine the Languages page. These must be fixed manually.', 'error'); ++ } ++ return $ret; ++} +diff -pruN -x '*~' drupal5-5.7.orig/modules/locale/locale.module drupal5-5.7/modules/locale/locale.module +--- drupal5-5.7.orig/modules/locale/locale.module 2006-12-27 14:11:59.000000000 +0100 ++++ drupal5-5.7/modules/locale/locale.module 2010-12-27 22:52:21.000000000 +0100 +@@ -137,15 +137,17 @@ function locale_user($type, $edit, &$use + if ($user->language == '') { + $user->language = key($languages['name']); + } +- $languages['name'] = array_map('check_plain', array_map('t', $languages['name'])); ++ foreach (array_map('t', $languages['name']) as $key => $value) { ++ $languages_name[check_plain($key)] = check_plain($value); ++ } + $form['locale'] = array('#type' => 'fieldset', + '#title' => t('Interface language settings'), + '#weight' => 1, + ); + $form['locale']['language'] = array('#type' => 'radios', + '#title' => t('Language'), +- '#default_value' => $user->language, +- '#options' => $languages['name'], ++ '#default_value' => check_plain($user->language), ++ '#options' => $languages_name, + '#description' => t('Selecting a different locale will change the interface language of the site.'), + ); + return $form;