Bug 1020777 (CVE-2013-4445, CVE-2013-4446)

Summary: CVE-2013-4445 CVE-2013-4446 drupal-context: multiple vulnerabilities
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ccoleman, dmcphers, jialiu, lmeyer, peter.borsa, ratulg, sdodson, shawn, tkramer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20131016,reported=20131018,source=oss-security,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,fedora-all/drupal6-context=affected,fedora-all/drupal7-context=affected,epel-6/drupal6-context=affected,epel-all/drupal7-context=affected,openshift-1/drupal6-context=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-06 23:19:48 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1020780, 1020781, 1020783, 1020784, 1020785    
Bug Blocks:    

Description Ratul Gupta 2013-10-18 05:25:49 EDT
Context, a drupal module, which allows you to manage contextual conditions and reactions for different portions of your site, was found to have two severe security issues.

First issue is that the module allows execution of PHP code via manipulation of a URL argument in a path used for AJAX operations when running in a configuration without a json_decode function provided by PHP or the PECL JSON library. The vulnerability is

This vulnerability is only exploitable on a server running a PHP version prior to 5.2 that does not have the json library installed.

Second issue is that the module uses Drupal's token scheme to restrict access to the json rendering of a block. This control mechanism is insufficient as Drupal's token scheme is designed to provide security between two different sessions (or a session and a non authenticated user) and is not designed to provide security within a session. The vulnerability is mitigated by needing blocks that have sensitive information.

The suggested fix is to update Drupal6-context to 6.x-3.2 and Drupal7-context to 7.x-3.0.

References:
http://seclists.org/fulldisclosure/2013/Oct/118
https://drupal.org/node/2113317
Comment 2 Ratul Gupta 2013-10-18 05:28:53 EDT
Created drupal6-context tracking bugs for this issue:

Affects: fedora-all [bug 1020780]
Affects: epel-6 [bug 1020783]
Comment 3 Ratul Gupta 2013-10-18 05:29:03 EDT
Created drupal7-context tracking bugs for this issue:

Affects: fedora-all [bug 1020781]
Affects: epel-all [bug 1020784]
Comment 4 Fedora Update System 2013-11-12 21:01:19 EST
drupal7-context-3.1-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-11-20 23:38:44 EST
drupal7-context-3.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-11-20 23:41:08 EST
drupal7-context-3.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-11-30 21:51:00 EST
drupal7-context-3.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-11-30 21:51:56 EST
drupal7-context-3.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Peter Borsa 2013-12-02 05:14:21 EST
It has been updated but one issue left. However I cannot see it because I get "access denied"

https://bugzilla.redhat.com/show_bug.cgi?id=1020785

Should I do anything else?
Comment 11 Shawn Iwinski 2014-03-06 16:07:29 EST
All dependant bugs are closed.  Should the owners of the packages close this bug or should you close it?