Bug#776200: unblock: websvn/2.3.3-1.2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package websvn.
It fixes a security issue.
unblock websvn/2.3.3-1.2
Thanks,
Thijs
diff -Nru websvn-2.3.3/debian/changelog websvn-2.3.3/debian/changelog
--- websvn-2.3.3/debian/changelog 2012-04-17 17:32:27.000000000 +0000
+++ websvn-2.3.3/debian/changelog 2015-01-24 12:42:37.000000000 +0000
@@ -1,3 +1,11 @@
+websvn (2.3.3-1.2) unstable; urgency=high
+
+ * Non-maintainer upload by the security team.
+ * Disable download of in-repository symlinks to prevent arbitrary
+ file access (CVE-2013-6892, Closes: #775682).
+
+ -- Thijs Kinkhorst <thijs@debian.org> Sat, 24 Jan 2015 12:31:44 +0000
+
websvn (2.3.3-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch
--- websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch 1970-01-01 00:00:00.000000000 +0000
+++ websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch 2015-01-24 12:41:10.000000000 +0000
@@ -0,0 +1,39 @@
+Arbitrary files with a known path can be accessed in websvn by committing a
+symlink to a repository and then downloading the file (using the download
+link).
+
+Author: Thijs Kinkhorst <thijs@debian.org>
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
+
+diff -ur oud/dl.php nieuw/dl.php
+--- oud/dl.php 2015-01-18 16:03:30.688791512 +0100
++++ nieuw/dl.php 2015-01-18 16:27:00.950897749 +0100
+@@ -137,6 +137,18 @@
+ exit(0);
+ }
+
++ // For security reasons, disallow direct downloads of filenames that
++ // are a symlink, since they may be a symlink to anywhere (/etc/passwd)
++ // Deciding whether the symlink is relative and legal within the
++ // repository would be nice but seems to error prone at this moment.
++ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
++ header('HTTP/1.x 500 Internal Server Error', true, 500);
++ error_log('to be downloaded file is symlink, aborting: '.$archiveName);
++ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
++ removeDirectory($tempDir);
++ exit(0);
++ }
++
+ // Set timestamp of exported directory (and subdirectories) to timestamp of
+ // the revision so every archive of a given revision has the same timestamp.
+ $revDate = $logEntry->date;
+@@ -180,7 +192,7 @@
+ $downloadMimeType = 'application/x-zip';
+ $downloadArchive .= '.zip';
+ // Create zip file
+- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
++ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
+ execCommand($cmd, $retcode);
+ if ($retcode != 0) {
+ error_log('Unable to call zip command: '.$cmd);
diff -Nru websvn-2.3.3/debian/patches/series websvn-2.3.3/debian/patches/series
--- websvn-2.3.3/debian/patches/series 2011-06-11 15:01:59.000000000 +0000
+++ websvn-2.3.3/debian/patches/series 2015-01-24 12:41:27.000000000 +0000
@@ -1,3 +1,4 @@
+13_security_CVE-2013-6892.patch
21_fix_conf_file.patch
22_use_global_geshi.patch
25_readme_multiviews
Reply to: