Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 651822 (CVE-2018-7600, SA-CORE-2018-002) - <www-apps/drupal-{7.58,8.4.6,8.5.1}: Remote Code Execution (SA-CORE-2018-002)
Summary: <www-apps/drupal-{7.58,8.4.6,8.5.1}: Remote Code Execution (SA-CORE-2018-002)
Status: RESOLVED FIXED
Alias: CVE-2018-7600, SA-CORE-2018-002
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.drupal.org/sa-core-2018-002
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-28 14:48 UTC by Thomas Deutschmann
Modified: 2018-03-28 21:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev 2018-03-28 14:48:19 UTC
Incoming details.
Comment 1 Larry the Git Cow gentoo-dev 2018-03-28 19:30:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=7a9178b3c9af6525215548fa76cf503f31bddaf3

commit 7a9178b3c9af6525215548fa76cf503f31bddaf3
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2018-03-28 19:27:05 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2018-03-28 19:27:05 +0000

    www-apps/drupal: Security releases to address PSA-2018-001 (7.58, 8.4.6 and 8.5.1).
    Bug: https://bugs.gentoo.org/651822
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/{drupal-7.57.ebuild => drupal-7.58.ebuild}   | 0
 www-apps/drupal/{drupal-8.4.5.ebuild => drupal-8.4.6.ebuild} | 0
 www-apps/drupal/{drupal-8.5.0.ebuild => drupal-8.5.1.ebuild} | 0
 3 files changed, 0 insertions(+), 0 deletions(-)}
Comment 2 Larry the Git Cow gentoo-dev 2018-03-28 19:38:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07ad56cacfc2e859666544708d1ffd80f0a84cea

commit 07ad56cacfc2e859666544708d1ffd80f0a84cea
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2018-03-28 19:37:33 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2018-03-28 19:37:33 +0000

    www-apps/drupal: Security releases to address PSA-2018-001 (7.58, 8.4.6 and 8.5.1).
    Bug: https://bugs.gentoo.org/651822
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/Manifest                           |  5 +-
 .../{drupal-7.57.ebuild => drupal-7.58.ebuild}     |  0
 .../{drupal-8.4.5.ebuild => drupal-8.4.6.ebuild}   |  0
 www-apps/drupal/drupal-8.5.1.ebuild                | 86 ++++++++++++++++++++++
 4 files changed, 89 insertions(+), 2 deletions(-)}
Comment 3 Thomas Deutschmann gentoo-dev 2018-03-28 21:46:10 UTC
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.


How dangerous is this issue?

Drupal security advisories include a risk score based on the NIST Common Misuse Scoring System. This helps give an objective sense of the risk of different issues. The risk of SA-CORE-2018-002 is scored 21/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default.

In the long form this means:

    How difficult is it for the attacker to leverage the vulnerability? None (user visits page).

    What privilege level is required for an exploit to be successful? None (all/anonymous users).

    Does this vulnerability cause non-public data to be accessible? All non-public data is accessible.

    Can this exploit allow system data (or data handled by the system) to be compromised? All data can be modified or deleted.

    Does a known exploit exist? Theoretical or white-hat (no public exploit code or documentation on development exists)

    What percentage of users are affected? Default or common module configurations are exploitable, but a config change can disable the exploit.


https://groups.drupal.org/security/faq-2018-002
Comment 4 Thomas Deutschmann gentoo-dev 2018-03-28 21:46:47 UTC
Package has no affected stable ebuild. Repository is clean. All done.