oss-sec mailing list archives
Re: [security] CVE requests for Drupal contributed modules (from 2016-009 to 2016-014)
From: David Snopek <dsnopek () gmail com>
Date: Mon, 4 Apr 2016 06:50:34 -0500
Hi, Just as an FYI, there is a small team of vendors who are carrying on Long-Term Support of Drupal 6 and some of its contrib modules: http://drupal.org/project/d6lts This affects one of the security issues you mentioned, in that the LTS vendors ported the fix to the Drupal 6 version of Prepopulate and made an unofficial release that contains it: https://github.com/d6lts/prepopulate/releases/tag/6.x-2.3 I'm not sure if this matters to you, as these are completely unofficial releases done by a group that isn't the same as the Drupal Security Team or the upstream maintainers, but the ported patches and releases are (and will be) publicly available. If you'd like, we can let you know about future releases? Or if not. please feel free to ignore this note. :-) Thanks, David. 2016-03-17 10:23 GMT-05:00 <cve-assign () mitre org>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256Prepopulate - Access Bypass - SA-CONTRIB-2016-009 https://www.drupal.org/node/2679503The Prepopulate module does not adequately prevent a user from overwriting arbitrary parts of $_REQUEST. It also does not prevent pre-populating certain fields that are not displayed or manipulating markup fields to alter elements of the user interface.Versions affectedPrepopulate 7.x-2.x versions prior to 7.x-2.1.http://cgit.drupalcode.org/prepopulate/commit/prepopulate.module?id=16cdb63cc3b256dd785e029ec17f92ddf80cc443 Use CVE-2016-3187 for the issue associated with deleting the "parse_str(base64_decode($_REQUEST['pp']), $_REQUEST);" lines, and use CVE-2016-3188 for the issue associated with changing the value of $limited_types. (The 16cdb63cc3b256dd785e029ec17f92ddf80cc443 commit message does not seem closely related to the 16cdb63cc3b256dd785e029ec17f92ddf80cc443 code changes.) Our understanding is that the Prepopulate module was packaged in, for example, Fedora 23. The prepopulate-6.x-2.2.tar.gz file shipped in drupal6-prepopulate-2.2-4.fc23.src.rpm apparently does not have the 16cdb63cc3b256dd785e029ec17f92ddf80cc443 changes. Thus, we feel that the best available information is that CVE-2016-3187 and CVE-2016-3188 affects or affected, at least, Fedora 23. (For example, see the http://fedora.mirror.lstn.net/releases/23/Everything/source/SRPMS/d/drupal6-prepopulate-2.2-4.fc23.src.rpm package file.) (We understand that Drupal 6 end-of-life was last month according to the https://www.drupal.org/drupal-6-eol post. We also understand that http://pkgs.fedoraproject.org/cgit/rpms/drupal6-prepopulate.git/commit?id=d77963c300289b6be29b5dc08d0662fc698068f4 exists. However, drupal6-prepopulate-2.2-4.fc23 may still be in use on many Fedora 23 systems.) We may be sending a separate reply about the USASearch, Google Analytics Counter, Hubspot CTA, Node Notify, and Fieldable Panels Panes issues. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJW6srrAAoJEL54rhJi8gl5J/4P/0g7s1pjL7lsg4sc3vN41r6v +1i0ucO28tfGhM13QxqNfR1RqUZ3W40dlWz2Lum6NvudbkGZaY+Jzph4BT9RW1n2 80ruiuamYF3escBnWvssSdIjwl2ibwsKFzzjyrvArdcZpnI6pwGFWPKLbN4pGyoz WSi+Ow067aqeSJVonW98AlxF4udVTrQJQi1wmhiW0jOE+7zk1rAwkVUgLlWCDJLB dVnopSr/FN2ewTkkJrAfBSfqQBGe7XNrnYCzefdBv7JgAARzkPc1jJzdC8oy3AIL TiyDVo6O/fi4j4pd01TVUc8Yh7kGilDdk7BPyptH4KPrGG8yS8SmLY2WSoR3gpa8 iBvw6o9X0HuXFo9IGrSBsd6LUt/+dYkqOH4JN2dxj9rxKlqv+4zlGHqM8mP/xGaw 4tCy7ekDTpEEQNSSzZDLtrDtaYbtHztC2EQ+fUp8iTmh1OKayWPGHNj/+unChR+q 0QqQt483QarClETgwUtVQCwqUBT90nS0RFvG5FKCAGRurfWXR0b0jXtQPmECZj6k wlJinmq4yAPfHVEjm1/5pGANAcihuLUxVdvpw8ZbsAJRSg2wEvxSCILb4Av+OaxF o5q0Nlekcn3FxKNz4hpr+ra5CWy7i/KDhjAuH6rarNMWA2sDLOM18TjyL9Pax0xy etw4zEaMsg3o2WgpI6qS =huG5 -----END PGP SIGNATURE----- -- [ Security | https://lists.drupal.org/mailman/listinfo/security ] [Security team mailing list management and scheduling is documented here | https://security.drupal.org/handling-list-emails]
Current thread:
- Re: [security] CVE requests for Drupal contributed modules (from 2016-009 to 2016-014) David Snopek (Apr 04)