Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Mar 2016 11:23:01 -0400 (EDT)
From: cve-assign@...re.org
To: pere@...a.cat
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@...pal.org
Subject: Re: CVE requests for Drupal contributed modules (from 2016-009 to 2016-014)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Prepopulate - Access Bypass - SA-CONTRIB-2016-009
> https://www.drupal.org/node/2679503

>> The Prepopulate module does not adequately prevent a user from
>> overwriting arbitrary parts of $_REQUEST. It also does not prevent
>> pre-populating certain fields that are not displayed or manipulating
>> markup fields to alter elements of the user interface.

>> Versions affected

>>    Prepopulate 7.x-2.x versions prior to 7.x-2.1.

>>> http://cgit.drupalcode.org/prepopulate/commit/prepopulate.module?id=16cdb63cc3b256dd785e029ec17f92ddf80cc443

Use CVE-2016-3187 for the issue associated with deleting the
"parse_str(base64_decode($_REQUEST['pp']), $_REQUEST);" lines, and use
CVE-2016-3188 for the issue associated with changing the value of
$limited_types. (The 16cdb63cc3b256dd785e029ec17f92ddf80cc443 commit
message does not seem closely related to the
16cdb63cc3b256dd785e029ec17f92ddf80cc443 code changes.)

Our understanding is that the Prepopulate module was packaged in, for
example, Fedora 23. The prepopulate-6.x-2.2.tar.gz file shipped in
drupal6-prepopulate-2.2-4.fc23.src.rpm apparently does not have the
16cdb63cc3b256dd785e029ec17f92ddf80cc443 changes. Thus, we feel that
the best available information is that CVE-2016-3187 and CVE-2016-3188
affects or affected, at least, Fedora 23.

(For example, see the
http://fedora.mirror.lstn.net/releases/23/Everything/source/SRPMS/d/drupal6-prepopulate-2.2-4.fc23.src.rpm
package file.)

(We understand that Drupal 6 end-of-life was last month according to
the https://www.drupal.org/drupal-6-eol post. We also understand that
http://pkgs.fedoraproject.org/cgit/rpms/drupal6-prepopulate.git/commit?id=d77963c300289b6be29b5dc08d0662fc698068f4
exists. However, drupal6-prepopulate-2.2-4.fc23 may still be in use on
many Fedora 23 systems.)

We may be sending a separate reply about the USASearch, Google
Analytics Counter, Hubspot CTA, Node Notify, and Fieldable Panels
Panes issues.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW6srrAAoJEL54rhJi8gl5J/4P/0g7s1pjL7lsg4sc3vN41r6v
+1i0ucO28tfGhM13QxqNfR1RqUZ3W40dlWz2Lum6NvudbkGZaY+Jzph4BT9RW1n2
80ruiuamYF3escBnWvssSdIjwl2ibwsKFzzjyrvArdcZpnI6pwGFWPKLbN4pGyoz
WSi+Ow067aqeSJVonW98AlxF4udVTrQJQi1wmhiW0jOE+7zk1rAwkVUgLlWCDJLB
dVnopSr/FN2ewTkkJrAfBSfqQBGe7XNrnYCzefdBv7JgAARzkPc1jJzdC8oy3AIL
TiyDVo6O/fi4j4pd01TVUc8Yh7kGilDdk7BPyptH4KPrGG8yS8SmLY2WSoR3gpa8
iBvw6o9X0HuXFo9IGrSBsd6LUt/+dYkqOH4JN2dxj9rxKlqv+4zlGHqM8mP/xGaw
4tCy7ekDTpEEQNSSzZDLtrDtaYbtHztC2EQ+fUp8iTmh1OKayWPGHNj/+unChR+q
0QqQt483QarClETgwUtVQCwqUBT90nS0RFvG5FKCAGRurfWXR0b0jXtQPmECZj6k
wlJinmq4yAPfHVEjm1/5pGANAcihuLUxVdvpw8ZbsAJRSg2wEvxSCILb4Av+OaxF
o5q0Nlekcn3FxKNz4hpr+ra5CWy7i/KDhjAuH6rarNMWA2sDLOM18TjyL9Pax0xy
etw4zEaMsg3o2WgpI6qS
=huG5
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ