As you probably all are aware of yesterday the security team made an announcement that next week there will be a highly critical issue released for D7+D8 (https://www.drupal.org/psa-2018-001)?

Do you know if this will also effects D6 and do you have a timeline when a patch for D6 could be backported?

Update: here's the link to the SA:

https://www.drupal.org/sa-core-2018-002

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

kfritsche created an issue. See original summary.

dsnopek’s picture

Status: Active » Fixed

Yes, this affects Drupal 6 too.

As always, we'll be publishing a fix shortly after the Drupal 7 & 8 security advisory is published.

The official D6LTS vendors have access to the private security team issue tracker, and have been working on this in private. So, we're not just starting from scratch when the announcement comes out, we'll have something ready in advance. :-)

O'Briat’s picture

Shall this issue should kept open until the patch is post in it ?

howdytom’s picture

Yes, please keep it open.

C-Logemann’s picture

Title: PSA-2018-001 » [core] Add D6LTS patch for upcoming SA related to PSA-2018-001 when available
Priority: Normal » Critical
Status: Fixed » Active

This Issue was about the Question if there will be a D6LTS patch for related PSA. This Question was answered and is now in correct status "fixed".
But I think it's not helpful to open too much issues and so I rename and open again.

mrtwo87’s picture

Will the patch be available here, or where would we go to find it for D6?

Thanks!

dsnopek’s picture

Yes, the patch will be published in this issue queue (and committed to the Git repo for this project) as well as distributed by the individual D6LTS vendors in their own way.

For example, myDropWizard will also publish on it's blog, make a full D6 release, and update the data used by the mydropwizard module. Tag1 has its own channels for getting patches out as well. Hopefully, with all that we'll be able to make sure everyone knows where to get it! :-)

tobi20’s picture

Will there also be a patch for pressflow 6? Will it be available here?

mikebrooks’s picture

@tobi20, for Pressflow 6, I follow https://github.com/pressflow/6/issues. If no patch is posted there, I intend to apply the patch posted to this issue queue.

dsnopek’s picture

Speaking for myDropWizard, we have several clients on Pressflow, and we intend to make a PR on the Pressflow GitHub project as well (like we did for the last Drupal 6 core security update - see https://github.com/pressflow/6/pull/112)

mparker17’s picture

@dsnopek, I'm a maintainer of pressflow/7 and appear to have commit access to pressflow/6 as well. Tag me on the PR and I'll review and merge as soon as I am able (my github username is the same as my drupal.org username)

dsnopek’s picture

@mparker17: Thanks, will do!

hanoii’s picture

I know it's a long shot question, but do you know if this will affect older drupal version. I happen to still maintain a few D5 files and one ore two D4.6 sites :scream:

fgm’s picture

I have a D5 site still online and plan on porting the D6 patch if applicable once my customer and own D8/D7/PF6 sites are fixed, probably tomorrow. Assuming no one does it earlier.

estoyausente’s picture

Pressflow issue is already created here:
https://github.com/pressflow/6/issues/114

I hope it is updated as soon as possible when the other patch is released.

actionmedres’s picture

Hi,

I maintain Drupal 6 websites. Does anyone have any idea of the time the Drupal 6 patch will be released this evening?

Thanks

Jeremy’s picture

The intent is to release the D6 patch immediately following the release of the D7/D8 patches. Thus, during the same time window as is documented in PSA-2018-001.

Thanks to subscribers of Tag1 Quo and myDropWizard for paying for the extensive back porting and testing efforts! All versions of the patches will be made available to everyone at the same time.

dsnopek’s picture

Title: [core] Add D6LTS patch for upcoming SA related to PSA-2018-001 when available » [core] Add D6LTS patch for SA-CORE-2018-002

Renaming issue to prepare for when actual SA is out! (Release window is still 45 minutes away)

dsnopek’s picture

Status: Active » Needs review
FileSize
2.42 KB

Here's the patch! I'll commit it to the repo in a moment.

Jon Pugh’s picture

Applied nicely, THANK YOU!

MrAdamJohn’s picture

Loving the fact that this is out now for D6 - such a relief. ;)

We have applied to several test environments without issue and are proceeding with full scale rollout expeditiously.

thomas.fleming’s picture

Thank you!

dsnopek’s picture

Status: Needs review » Fixed

Closing :-)

kubrt’s picture

Applies nicely, thanks !

steeph’s picture

Thanks a lot!

Fernando Iglesias’s picture

Thanks guys, just want to add my 2 cents that this is applying cleanly to Pressflow 6. Stay safe out there.

katherined’s picture

Thank you!

bwoods’s picture

Awesome job at getting this ready so quickly!

howdytom’s picture

Thank you! Worked like a charm

hanoii’s picture

FileSize
2.33 KB

For what it's worth, attached (and hidden from the patch view) is a D5 backported patch.

EDIT: I haven't tested with older PHP version, it works with PHP 5.6.

hanoii’s picture

hanoii’s picture

neurer’s picture

Excellent work. Thank you.

nickw’s picture

Thank you very much!

Haza’s picture

Thanks for your work !

hanoii’s picture

And yes, thank you @dsnopek et all.

dietric@gmail.com’s picture

Great work, we're patching away!

manuel.adan’s picture

Status: Fixed » Active

I thank you too!

manuel.adan’s picture

Status: Active » Fixed

Sorry, just F5 ;)

leofishman’s picture

Thanks a lot!!

fgm’s picture

@hanoii++

pauljb’s picture

Thanks!

hirbys’s picture

Most appreciated. Thank you.

Roger-Ro’s picture

Updating via the mydropwizard module is still not possible. Do you know when it will be?

EDIT: "drush rf" before "drush up" solved this issue.

Ishino’s picture

Tested and confirmed working. Thanks!

onehp88’s picture

Thank you!

jwilson3’s picture

Status: Fixed » Needs work

@dsnopek Will the patch from #19 be added alongside the one for SA-CORE-2018-001?

I.e., here:

https://cgit.drupalcode.org/d6lts/plain/common/core/

MatthijsG’s picture

Just mentioning that you also can download a forked (?) Drupal 6 here
https://github.com/d6lts/drupal/releases/tag/6.42

Thanks to @dsnopek from Dropwizard

damontgomery’s picture

I was able to update a d6 site with the mydropwizard module. You can check if the patch is applied by searching for "_drupal_bootstrap_sanitize_input" in "includes/bootstrap.inc".

I was able to use mydropwizard after upgrading to Drush 7.4.0 which was the latest version supported by PHP on the server the site is using. Drush 7.4.0 requires Composer which was compatible with that servers PHP version.

Thank you!

anschinsan’s picture

Thank you very, very much for this fast work!

Good night from Europe!

gngn’s picture

Status: Needs work » Active

Thank you!

chinita7’s picture

Thanks a lot!!

flickerfly’s picture

Thank you!

chrowe’s picture

Issue summary: View changes
jimboh’s picture

Thanks again.

MarcelloCerruti’s picture

Why the commit for the patch isn't listed here https://cgit.drupalcode.org/d6lts/ ?

ciss’s picture

Status: Active » Fixed

Why the commit for the patch isn't listed here https://cgit.drupalcode.org/d6lts/ ?

It's a cgit caching issue. Try e.g. https://cgit.drupalcode.org/d6lts/tree/common/core?foo .

ciss’s picture

Issue summary: View changes

@chrowe the PSA is 001, the SA is 002.

NiklasBr’s picture

Thank you for providing this patch!

dsnopek’s picture

Issue summary: View changes

For posterity, added the link to the SA to the issue summary.

tescometro’s picture

All good and patched up. But...is there a test to show the patch is actually working? And the potential exploit denied?

ciss’s picture

All good and patched up. But...is there a test to show the patch is actually working? And the potential exploit denied?

Not publicly. The tests are said to be published in about two months, to avoid lending exploit authors a hand.

dsnopek’s picture

Status: Fixed » Needs review
FileSize
2.5 KB
503 bytes

We've gotten reports that the patch breaks certain features of OG. Here's a bug fix patch, and a new complete patch that includes both fixes! I'll commit them in a moment.

dsnopek’s picture

Status: Needs review » Fixed

Committed! Sorry about that, Everyone!

jmev’s picture

Is the OG bug fix patch included in the full release of 6.42 (https://github.com/d6lts/drupal/releases/tag/6.42), or is there a 6.43?

Also, I am having to update a very outdated D6 installation, still on 6.28. If I apply this patch first to that version (with plans to update complete core in the next week or 2), will there be any negative ramifications, and if so, what are they?

dsnopek’s picture

There's a 6.43:

https://github.com/d6lts/drupal/releases/tag/6.43

And for Pressflow too:

https://github.com/pressflow/6/releases/tag/pressflow-6.43.124

Also, I am having to update a very outdated D6 installation, still on 6.28. If I apply this patch first to that version (with plans to update complete core in the next week or 2), will there be any negative ramifications, and if so, what are they?

I don't think there will be any negative ramifications from applying the patch first then updating. However, I'd really recommend updating as soon as possible! If you're still on 6.28, you're missing a number of other security fixes as well.

howdytom’s picture

Thank you. Excellent work. I've successfully updated to 6.43.

ff01’s picture

Is there a simple way to check that the patch has been applied correctly and is actually working?

dsnopek’s picture

To check if it's working, you could add this to your settings.php:

$conf['sanitize_input_logging'] = TRUE;

And then visit your site with a URL like http://www.example.com?%23test=true

It should log that the '#test' key was removed in your PHP logs.

tescometro’s picture

Thanks for that test method. Worked for me, and great to confirm patch is actually installed properly

Thanks for everything here.

gregory100’s picture

Problems with D6.37 multisite and patched bootstrap.inc

I am running Drupal 6.37 multisite with 3 Websites.
After applying the patched bootstrap.inc from your 6.43-package (only uploading via ftp, no editing or drupal update.php activation) 1 of the 3 sites works fine, the other 2 not. They are showing just nothing. No html source, no 404, no other server error - nothing but an empty browser window. Never seen that before.

I dont think this is a Hack, because when i change to the original 6.37 bootstrap.inc the 2 sites are alive again. Back to the patched bootstrap.inc -> white space again ...

Is there an incompatibility with drupal 6.37 and bootstrap.inc from D6.43 ?
(Maybe this is all my fault, D6LTS was new to me since this highly critical issue. Thanks for your work.)

HansKuiters’s picture

@gregory100: you could check your php error log on the webserver. Maybe that gives you (and us) a clou.

dsnopek’s picture

@gregory100: I can't think of what the problem with Drupal 6.37 would be, but I'd highly recommend updating all of core to match myDropWizard's Drupal 6.43 (see https://github.com/d6lts/drupal/releases/tag/6.43) rather than just copying individual files. There were security vulnerabilities fixed in 6.38 and 6.39 too, and while none of those vulnerabilities is as bad as this most recent one, it'd be best not to be missing any security fixes.

gregory100’s picture

@HansKuiters and @dsnopek

Thanks for your very fast response.

@HansKuiters

>> you could check your php error log on the webserver.

Done.
ongoing php 5.6 error-log-file
There are many Errors logged.

The most look like this:
[Mon Apr 02 21:24:36 2018] [-:error] [pid xxxxxx] [client xxxxxxxxxxxx] [host www.xxxxxxxxxxxxxxx.xxx] PHP Fatal error: Cannot redeclare menu_path_is_external() (previously declared in /is/htdocs/xxxxxxxxxxxxxxxxxxxxx/www/drupal6/includes/bootstrap.inc:1542) in /is/htdocs/xxxxxxxxxxxxxxxx/www/drupal6/includes/menu.inc on line 2475

dsnopek’s picture

Ah, ok. In Drupal 6.38 (release more than 2 years ago now!), menu_path_is_external() moved from includes/menu.inc to includes/bootstrap.inc. So, you could try also uploading includes/menu.inc, but I'd really, HIGHLY recommend updating ALL of core to Drupal 6.43 rather than continuing to copy individual files.

HansKuiters’s picture

That is for sure a problem. It seems to me that the function menu_path_is_external() has been moved from menu.inc to bootstrap.inc. So I back the advise from @dsnopek to update all core files to match 6.43

Edit: @dsnopek already answered ;-)

neallawson’s picture

I too was running Drupal 6.38. I downloaded and updated to 6.43, and when I try to install the patch (SA-CORE-2018-002.patch) I get a message that the patch is already installed. Does 6.43 include this patch? However I do not see includes/request-sanitizer.inc or a call to it in bootstrap.inc.

howdytom’s picture

@ neallawson. Yes, Drupal 6.43 includes SA-CORE-2018-002.

https://github.com/d6lts/drupal/compare/6.42...6.x

neallawson’s picture

Thank you, @howdytom! Much appreciated.

dsnopek’s picture

However I do not see includes/request-sanitizer.inc or a call to it in bootstrap.inc.

request-sanitizer.inc was part of the Drupal 7 patch. The Drupal 6 implementation does the same thing, but doesn't have that file.

In any case, Drupal 6.43 is the latest D6LTS version and includes all security fixes so far!

neallawson’s picture

Thanks, @dsnopek! Thank you very much for the patch and 6.43!

hanoii’s picture

It's probably late as I hope that most Drupals were updated, but I founded this and I thing it's an useful piece of information in related to this issue, no just D6 to be aware of.

It's basically an attempt to do what the patch does but on a server level:

https://gist.github.com/SniperSister/96bbf89a579f763884ceb0b434d73b36

april26’s picture

Thank you - I have been so worried about my old D6 clients!

jeetendrakumar’s picture

Hi @dsnopek

I am running Drupal 6.30. I have couple of question

1. Will it work for 6.30 version?
2. Will it (patch) fix the Vulnerability: Remote Code Execution (CVE-2018-7600)?

Thanks in Advance :)

NiklasBr’s picture

jeetendrakumar, I have no idea about your first question and I hope you have a really good reason to stay on 6.30 rather than updating to 6.43, you are missing out on many security fixes.

On your second question: SA-CORE-2018-002 is CVE-2018-7600, you can confirm this by following any of the two links in the issue summary.

dsnopek’s picture

@jeetendrakumar since you mentioned me directly, I'll respond, but I agree completely with @NiklasBr. I suspect the patch will apply to 6.30 (although, I haven't tested it) but you'd be leaving yourself open to other security vulnerabilities that were fixed in other updates

jeetendrakumar’s picture

Hi @dsnopek

We have updated the Drupal version from 6.30 to 6.43 and our security team checked the SA-CORE-2018-002 vulnerability with this version via python script (Drupalgeddon2) and find that code is still vulnerable.

vishalkhialani’s picture

Hi @jeetendrakumar ,

After reading your comment that the update might not be working against Drupalgeddon2, I thought I should double check with my sites.

So I looked into my servers and did not find any kind of pattern of being compromised.

I also ran a script exploit on one of our test servers and the exploit did not work.

Please share ( maybe directly with @dsnopek ) your use case as to when and how its breaking.

I am also available.

Thank you,
Vishal

dsnopek’s picture

@jeetendrakumar Can you send me a message through my contact form with a link or the actual Python script that you're using? If they have an attack that works even with the patch, I'd really, really like to see it. All of the exploit scripts posted publicly that I have seen should be stopped by this patch.

cspitzlay’s picture

@jeetendrakumar:
Just to point out the obvious: there are several things that can go wrong when updating ...

A broken deployment, or failure to restart a cache of the parsed PHP code if so configured
(apache for mod_php or php-fpm for fpm).

Is the updated version string reflected on your admin/reports/status page?

steeph’s picture

deleted (sorry, my mistake, got the versions mixed up in my head)

cspitzlay’s picture

@steeph: In case you are referring to the things that can go wrong: 6.43 is supposed to contain the patch, isn't it?

steeph’s picture

Yes, that's what I meant. Realised it shortly after. Sorry

amccune’s picture

Hi

Will the 2018-004 critical core vulnerability also be patched through this program?

cheers
Adam

dsnopek’s picture

All Drupal core vulnerabilities that also affect Drupal 6 will have patches released in this project, yes.

rreiss’s picture

@jeetendrakumar what you wrote doesn't male any sense to me.
1. The patch should block Drupalgeddon2 attacks assuming that your site was patched using the provided patch
2. Most of the crawlers (and maybe even all of those) are targeting D8 and D7, and although I didn't test the exploits on D6 I don't think that the D7 one will work ad it is (it will require some modifications).

@dsnopek If @jeetendrakumar will share the mentioned python script with you I'll be glad to help of you need some assistance.

* I was one of the three people group who wrote the original "uncovering Drupalgeddon2" blog post.

HansKuiters’s picture

@amccune: do you mean 2018-003? That was announced today for this wednesday. Or is there a 2018-004 announced?

Arbelo’s picture

The latest announcement referenced SA-CORE-2018-004, but I think that was a typo. The URL for the annoucement has 003 in it:
https://www.drupal.org/psa-2018-003

But in the text, it has:
The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier for the issue will be SA-CORE-2018-004.

hugovk’s picture

It is public service announcement number three, PSA-2018-003, announcing core security fix number four, SA-CORE-2018-004.

SA-CORE-2018-003 was for CKEditor, which is only in core for 8.x.

jeetendrakumar’s picture

Thanks for quick response :)

Hi @dsnopek I have shared detail with you.

jeetendrakumar’s picture

@cspitzlay Yes it is reflecting on status page.

actionmedres’s picture

I have read to believe that the SA-CORE-2018-003 would be for CKEditor and only for versions 7.x and 8.x?

Will there be a version 6.x release soon after?

Thanks

dsnopek’s picture

I have read to believe that the SA-CORE-2018-003 would be for CKEditor and only for versions 7.x and 8.x?

Will there be a version 6.x release soon after?

That is off-topic for this issue. In the future, please open a new issue!

However, to answer your question: SA-CORE-2018-003 is actually a vulnerability in the CKEditor library, and is only a Drupal issue because Drupal 8 bundles CKEditor. If you use a vulnerable version of the CKEditor library (versions 4.5.11 up to 4.9.1) then your site is vulnerable regardless of which Drupal version you are using (6, 7 or 8). We're not going to release a Drupal 6 patch for that - just check your CKEditor library version and update that if you need to!

dsnopek’s picture

@jeetendrakumar: Thanks for sending the script!

To those following along here, I looked at the script and it appears to be written specifically for Drupal 8 sites. I believe it saying the site is vulnerable is a false positive because it doesn't know how to test for the Drupal 6 variant of this issue.

jeetendrakumar’s picture

@dsnopek Thanks for review :)

igorski’s picture

Status: Fixed » Closed (fixed)
Related issues: +#2965601: [core] Add D6LTS patch for SA-CORE-2018-004

I think everything about the original issue is more than covered here. Just for reference, I linked to the new issue for the upcoming patch.

hanoii’s picture

@dsnopek

do you know already if the new SA will affect the patched D6?