Bug 863253 (CVE-2012-1591)

Summary: CVE-2012-1591 Drupal 7: Access bypass - private images
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ccoleman, gwync, peter.borsa, rmillner, stickster, tkramer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: drupal7-7.13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-25 15:12:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 863256, 956481, 956483    
Bug Blocks: 863255    

Description Kurt Seifried 2012-10-04 20:06:19 UTC 
The Drupal reports that Drupal 7.12 contains the following vulnerability: 

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and 
Image Styles which create derivative images from an original image that may 
differ, for example, in size or saturation. Drupal core failed to properly 
terminate the page request for cached image styles allowing users to access 
image derivatives for images they should not be able to view. Furthermore, 
Drupal didn't set the right headers to prevent image styles from being cached 
in the browser.

External reference:
http://drupal.org/node/1557938
Comment 2 Kurt Seifried 2013-04-25 05:20:53 UTC 
Created drupal7 tracking bugs for this issue

Affects: fedora-all [bug 956481]
Comment 3 Kurt Seifried 2013-04-25 05:23:18 UTC 
Created drupal7 tracking bugs for this issue

Affects: epel-all [bug 956483]