Bug 896467 (CVE-2013-0244, CVE-2013-0245, CVE-2013-0246, SA-CORE-2013-001)

Summary: drupal6, drupal7: Multiple security flaws fixed in upstream 6.28 and 7.19 versions (SA-CORE-2013-001)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync, jokajak, kris.buytaert, lmacken, peter.borsa, rbean, sdodson, stickster, sven
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Drupal 6.28, Drupal 7.19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-01 15:29:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 896468, 896469, 896470, 896471    
Bug Blocks:    

Description Jan Lieskovsky 2013-01-17 11:33:24 UTC 
Drupal upstream has released 6.28 and 7.19 versions to correct multiple security issues ([1]):
----------------------------------------------------------------------------------------------

* Cross-site scripting (Various core and contributed modules - Drupal 6 and 7):
===============================================================================
 
  A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue.

jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery. However, the versions of jQuery that are shipped with Drupal 6 and Drupal 7 core do not contain this protection.

Although the fix added to Drupal as part of this security release prevents the most common forms of this issue in the same way as newer versions of jQuery do, developers should be aware that passing untrusted user input directly to jQuery functions such as jQuery() and $() is unsafe and should be avoided.

* Access bypass (Book module printer friendly version - Drupal 6 and 7):
========================================================================

A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to.

This vulnerability is mitigated by the fact that the bypass is only accessible to users who already have the 'access printer-friendly version' permission (which is not granted to Anonymous or Authenticated users by default) and it only affects nodes that are part of a book outline.

* Access bypass (Image module - Drupal 7):
==========================================

Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on "image styles" and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view.

This vulnerability is mitigated by the fact that it only affects sites which use the Image module and which store images in a private file system.

----------------------------------------------------------------------------------------------

References:
[1] http://drupal.org/SA-CORE-2013-001
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698333
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698334
Comment 1 Jan Lieskovsky 2013-01-17 11:35:25 UTC 
These issues affect the versions of the drupal6 and drupal7 packages, as shipped with Fedora release of 16, 17, Fedora EPEL 5, and Fedora EPEL 6. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-01-17 11:36:57 UTC 
Created drupal7 tracking bugs for this issue

Affects: fedora-all [bug 896470]
Affects: epel-all [bug 896471]
Comment 3 Jan Lieskovsky 2013-01-17 11:37:18 UTC 
Created drupal6 tracking bugs for this issue

Affects: fedora-all [bug 896468]
Affects: epel-all [bug 896469]
Comment 4 Jan Lieskovsky 2013-01-17 12:45:13 UTC 
Besides the above affected versions the first "Cross-site scripting (Various core and contributed modules - Drupal 6 and 7)" issue (affecting JQuery versions earlier to 1.6.3, as stated in the description:

"jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery."

JQuery upstream bug: http://bugs.jquery.com/ticket/9521
JQuery 1.6.3 notes: http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/

affects the versions of the drupal7-jquery_update package, as shipped with Fedora release of 16, 17, Fedora EPEL 5 and Fedora EPEL 6 (as it also contains jquery.js source code and currently upgrades JQuery JavaScript library to upstream 1.5.2 version only). Please schedule drupal7-jquery_update package update too.
Comment 6 Jan Lieskovsky 2013-01-17 14:53:11 UTC 
The XSS JQuery < JQuery 1.6.3 issue affects also the versions of the python-tw-jquery package, as shipped with Fedora release of 16, 17, Fedora EPEL 5, and Fedora EPEL 6. Please schedule an update.

(the embedded version of the JQuery JavaScript library there is jQuery pre-1.2.4 and is located in BUILD/tw.jquery-0.9.10/tw/jquery/static/javascript/validate/lib/jquery.js)
Comment 8 Jan Lieskovsky 2013-01-17 15:54:23 UTC 
CVE request:
  http://www.openwall.com/lists/oss-security/2013/01/17/14
Comment 10 Jan Lieskovsky 2013-02-01 14:55:32 UTC 
(In reply to comment #0)

Based on: http://www.openwall.com/lists/oss-security/2013/01/31/4

> Drupal upstream has released 6.28 and 7.19 versions to correct multiple
> security issues ([1]):
> * Cross-site scripting (Various core and contributed modules - Drupal 6 and
> 7):

1) the CVE identifier of CVE-2013-0244 has been assigned to the following issue:

A reflected cross-site scripting vulnerability (XSS) was identified in
certain Drupal JavaScript functions that pass unexpected user input
into jQuery causing it to insert HTML into the page when the intended
behavior is to select DOM elements. Multiple core and contributed
modules are affected by this issue.

> * Access bypass (Book module printer friendly version - Drupal 6 and 7):
> ========================================================================


2) The CVE identifier of CVE-2013-0245 has been assigned to the Book module issue.

> 
> 
> * Access bypass (Image module - Drupal 7):
> ==========================================

3) And CVE identifier of CVE-2013-0246 has been assigned to the Image module issue.
Comment 11 Jan Lieskovsky 2013-02-01 15:21:03 UTC 
The CVE identifier of CVE-2011-4969 has been assigned to the JQuery < 1.6.3 version XSS issue. This issue is now tracked under separate bug:
  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4969

and I am also going to move jQuery relevant various Fedora components bugs to be linked to that new, CVE-2011-4969 bug.
Comment 12 Jan Lieskovsky 2013-02-01 15:29:39 UTC 
Closing this bug - the CVE-2013-0244, CVE-2013-0245, CVE-2013-0246 issues has been corrected in various drupal versions as shipped within Fedora / Fedora EPEL already, and we will deal with the jQuery CVE-2011-4969 related components issues in a new, CVE-2011-4969 bug. This bug is not needed anymore.