Bug 1089819 (CVE-2014-2983)

Summary: CVE-2014-2983 drupal: information disclosure flaw in form API
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ccoleman, dmcphers, gwync, hello, jialiu, kseifried, lmeyer, mmcallis, shawn, stickster, sven, tkramer, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: drupal 6.31, drupal 7.27 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-05 01:51:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1089820, 1089822, 1089823, 1089825, 1089827    
Bug Blocks:    

Description Murray McAllister 2014-04-22 04:01:24 UTC 
The Drupal SA-CORE-2014-002 advisory fixes the following issue:

""
Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.

When pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable.

This vulnerability is mitigated by the fact that Drupal core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the Drupal Form API under the aforementioned conditions might be vulnerable.

Note: This security release introduces small API changes which may require code updates on sites that expose Ajax or multi-step forms to anonymous users, and where the forms are displayed on pages that are cached (either by Drupal or by an external system). See the Drupal 6.31 release notes and Drupal 7.27 release notes for more information.
""

This issue is corrected in versions 6.31 and 7.27 (these versions are currently in Fedora and EPEL testing).

External References:

https://drupal.org/SA-CORE-2014-002
Comment 2 Murray McAllister 2014-04-22 04:03:46 UTC 
Created drupal7 tracking bugs for this issue:

Affects: fedora-all [bug 1089823]
Affects: epel-all [bug 1089825]
Comment 3 Murray McAllister 2014-04-22 04:03:51 UTC 
Created drupal6 tracking bugs for this issue:

Affects: fedora-all [bug 1089820]
Affects: epel-all [bug 1089822]
Comment 4 Peter Borsa 2014-05-03 10:23:53 UTC 
The updated drupal6 and drupal7 packages can be found in stable repositories but I don't know what is that bug(1089827) because I cannot see it since I get "Access Denied; You are not authorized to access bug #1089827."

So, can we close this bug or should we do anything else?

PS: Jon Ciesla updated drupal packages.
Comment 5 Murray McAllister 2014-05-05 01:51:44 UTC 
(In reply to Peter Borsa from comment #4)
> The updated drupal6 and drupal7 packages can be found in stable repositories
> but I don't know what is that bug(1089827) because I cannot see it since I
> get "Access Denied; You are not authorized to access bug #1089827."
> 
> So, can we close this bug or should we do anything else?
> 
> PS: Jon Ciesla updated drupal packages.

It can be closed now, thanks for the notification.

bug 1089827 is for OpenShift Online, it can be ignored.