Bug#776200: marked as done (unblock: websvn/2.3.3-1.2)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#776200: marked as done (unblock: websvn/2.3.3-1.2)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 26 Jan 2015 07:42:14 +0000
Message-id: <[🔎] handler.776200.D776200.142225809625825.ackdone@bugs.debian.org>
References: <54C5EFA5.8010700@thykier.net> <[🔎] 20150125122751.21978.38299.reportbug@tetraquark.soleus.nu>

Your message dated Mon, 26 Jan 2015 08:41:25 +0100
with message-id <54C5EFA5.8010700@thykier.net>
and subject line Re: Bug#776200: unblock: websvn/2.3.3-1.2
has caused the Debian Bug report #776200,
regarding unblock: websvn/2.3.3-1.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
776200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776200
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: websvn/2.3.3-1.2
From: Thijs Kinkhorst <thijs@debian.org>
Date: Sun, 25 Jan 2015 13:27:51 +0100
Message-id: <[🔎] 20150125122751.21978.38299.reportbug@tetraquark.soleus.nu>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package websvn.

It fixes a security issue.

unblock websvn/2.3.3-1.2


Thanks,
Thijs

diff -Nru websvn-2.3.3/debian/changelog websvn-2.3.3/debian/changelog
--- websvn-2.3.3/debian/changelog	2012-04-17 17:32:27.000000000 +0000
+++ websvn-2.3.3/debian/changelog	2015-01-24 12:42:37.000000000 +0000
@@ -1,3 +1,11 @@
+websvn (2.3.3-1.2) unstable; urgency=high
+
+  * Non-maintainer upload by the security team.
+  * Disable download of in-repository symlinks to prevent arbitrary
+    file access (CVE-2013-6892, Closes: #775682).
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Sat, 24 Jan 2015 12:31:44 +0000
+
 websvn (2.3.3-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch
--- websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch	1970-01-01 00:00:00.000000000 +0000
+++ websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch	2015-01-24 12:41:10.000000000 +0000
@@ -0,0 +1,39 @@
+Arbitrary files with a known path can be accessed in websvn by committing a
+symlink to a repository and then downloading the file (using the download
+link).
+
+Author: Thijs Kinkhorst <thijs@debian.org>
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
+
+diff -ur oud/dl.php nieuw/dl.php
+--- oud/dl.php	2015-01-18 16:03:30.688791512 +0100
++++ nieuw/dl.php	2015-01-18 16:27:00.950897749 +0100
+@@ -137,6 +137,18 @@
+ 		exit(0);
+ 	}
+ 
++	// For security reasons, disallow direct downloads of filenames that
++	// are a symlink, since they may be a symlink to anywhere (/etc/passwd)
++	// Deciding whether the symlink is relative and legal within the
++	// repository would be nice but seems to error prone at this moment.
++	if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
++		header('HTTP/1.x 500 Internal Server Error', true, 500);
++		error_log('to be downloaded file is symlink, aborting: '.$archiveName);
++		print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
++		removeDirectory($tempDir);
++		exit(0);
++	}
++
+ 	// Set timestamp of exported directory (and subdirectories) to timestamp of
+ 	// the revision so every archive of a given revision has the same timestamp.
+ 	$revDate = $logEntry->date;
+@@ -180,7 +192,7 @@
+ 		$downloadMimeType = 'application/x-zip';
+ 		$downloadArchive .= '.zip';
+ 		// Create zip file
+-		$cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
++		$cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
+ 		execCommand($cmd, $retcode);
+ 		if ($retcode != 0) {
+ 			error_log('Unable to call zip command: '.$cmd);
diff -Nru websvn-2.3.3/debian/patches/series websvn-2.3.3/debian/patches/series
--- websvn-2.3.3/debian/patches/series	2011-06-11 15:01:59.000000000 +0000
+++ websvn-2.3.3/debian/patches/series	2015-01-24 12:41:27.000000000 +0000
@@ -1,3 +1,4 @@
+13_security_CVE-2013-6892.patch
 21_fix_conf_file.patch
 22_use_global_geshi.patch
 25_readme_multiviews

--- End Message ---

--- Begin Message ---

To: Thijs Kinkhorst <thijs@debian.org>, 776200-done@bugs.debian.org

Subject: Re: Bug#776200: unblock: websvn/2.3.3-1.2

From: Niels Thykier <niels@thykier.net>

Date: Mon, 26 Jan 2015 08:41:25 +0100

Message-id: <54C5EFA5.8010700@thykier.net>

In-reply-to: <[🔎] 20150125122751.21978.38299.reportbug@tetraquark.soleus.nu>

References: <[🔎] 20150125122751.21978.38299.reportbug@tetraquark.soleus.nu>
On 2015-01-25 13:27, Thijs Kinkhorst wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package websvn.
> 
> It fixes a security issue.
> 
> unblock websvn/2.3.3-1.2
> 
> 
> Thanks,
> Thijs
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#776200: unblock: websvn/2.3.3-1.2
  - From: Thijs Kinkhorst <thijs@debian.org>

Prev by Date: Bug#776258: marked as done (unblock: minizip/1.1-5)
Next by Date: Bug#776276: unblock: open-iscsi/2.0.873+git0.3b4b4500-4
Previous by thread: Bug#776200: unblock: websvn/2.3.3-1.2
Next by thread: Bug#776201: unblock: pcmanfm/1.2.3-1.1
Index(es):
- Date
- Thread