Bug 863248 (CVE-2012-1588)

Summary: CVE-2012-1588 Drupal 7: text filtering Denial of Service
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ccoleman, gwync, peter.borsa, rmillner, stickster, tkramer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: drupal7-7.13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-25 15:12:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 863256, 956481, 956483    
Bug Blocks: 863255    

Description Kurt Seifried 2012-10-04 19:55:31 UTC 
The Drupal reports that Drupal 7.12 contains the following vulnerability:

Denial of Service

CVE: CVE-2012-1588

Drupal core's text filtering system provides several features including 
removing inappropriate HTML tags and automatically linking content that 
appears to be a link. A pattern in Drupal's text matching was found to be 
inefficient with certain specially crafted strings. This vulnerability is 
mitigated by the fact that users must have the ability to post content sent 
to the filter system such as a role with the "post comments" or "Forum topic: 
Create new content" permission.

External reference:
http://drupal.org/node/1557938
Comment 2 Kurt Seifried 2013-04-25 05:19:52 UTC 
Created drupal7 tracking bugs for this issue

Affects: fedora-all [bug 956481]
Comment 3 Kurt Seifried 2013-04-25 05:22:15 UTC 
Created drupal7 tracking bugs for this issue

Affects: epel-all [bug 956483]