Bug#896841: jessie-pu: package psensor/1.1.3-2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I have prepared a security update for psensor to fix CVE-2014-10073 in
Jessie. This is Debian bug #896195. The security team has marked this
issue as no-dsa. I am going to upload the new revision shortly. Please
find attached the debdiff.
Regards,
Markus
diff -Nru psensor-1.1.3/debian/changelog psensor-1.1.3/debian/changelog
--- psensor-1.1.3/debian/changelog 2014-10-13 09:20:27.000000000 +0200
+++ psensor-1.1.3/debian/changelog 2018-04-24 21:23:26.000000000 +0200
@@ -1,3 +1,12 @@
+psensor (1.1.3-2+deb8u1) jessie; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2014-10073: The create_response function in server/server.c in
+ Psensor allows Directory Traversal because it lacks a check for whether a
+ file is under the webserver directory. (Closes: #896195)
+
+ -- Markus Koschany <apo@debian.org> Tue, 24 Apr 2018 21:23:26 +0200
+
psensor (1.1.3-2) unstable; urgency=medium
* debian/control
diff -Nru psensor-1.1.3/debian/patches/CVE-2014-10073.patch psensor-1.1.3/debian/patches/CVE-2014-10073.patch
--- psensor-1.1.3/debian/patches/CVE-2014-10073.patch 1970-01-01 01:00:00.000000000 +0100
+++ psensor-1.1.3/debian/patches/CVE-2014-10073.patch 2018-04-24 21:23:26.000000000 +0200
@@ -0,0 +1,74 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 23 Apr 2018 23:51:42 +0200
+Subject: CVE-2014-10073
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896195
+Origin: http://git.wpitchoune.net/gitweb/?p=psensor.git;a=commitdiff;h=8b10426dcc0246c1712a99460dd470dcb1cc4d9c
+---
+ src/server/server.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/server/server.c b/src/server/server.c
+index 5862586..fd5662a 100644
+--- a/src/server/server.c
++++ b/src/server/server.c
+@@ -23,6 +23,7 @@
+ #include <libintl.h>
+ #define _(str) gettext(str)
+
++#include <limits.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -246,13 +247,24 @@ static struct MHD_Response *
+ create_response(const char *nurl, const char *method, unsigned int *rp_code)
+ {
+ struct MHD_Response *resp = NULL;
++ char *rpath;
++ int n;
+
+ if (!strncmp(nurl, URL_BASE_API_1_1, strlen(URL_BASE_API_1_1))) {
+ resp = create_response_api(nurl, method, rp_code);
+ } else {
+ char *fpath = get_path(nurl, server_data.www_dir);
+
+- resp = create_response_file(nurl, method, rp_code, fpath);
++ rpath = realpath(fpath, NULL);
++ if (rpath) {
++ n = strlen(server_data.www_dir);
++ if (!strncmp(server_data.www_dir, rpath, n))
++ resp = create_response_file(nurl,
++ method,
++ rp_code,
++ fpath);
++ free(rpath);
++ }
+
+ free(fpath);
+ }
+@@ -347,7 +359,7 @@ int main(int argc, char *argv[])
+ switch (optc) {
+ case 'w':
+ if (optarg)
+- server_data.www_dir = strdup(optarg);
++ server_data.www_dir = realpath(optarg, NULL);
+ break;
+ case 'p':
+ if (optarg)
+@@ -386,8 +398,14 @@ int main(int argc, char *argv[])
+ exit(EXIT_FAILURE);
+ }
+
+- if (!server_data.www_dir)
+- server_data.www_dir = strdup(DEFAULT_WWW_DIR);
++ if (!server_data.www_dir) {
++ server_data.www_dir = realpath(DEFAULT_WWW_DIR, NULL);
++ if (!server_data.www_dir) {
++ fprintf(stderr,
++ _("Webserver directory does not exist.\n"));
++ exit(EXIT_FAILURE);
++ }
++ }
+
+ if (!log_file)
+ log_file = strdup(DEFAULT_LOG_FILE);
diff -Nru psensor-1.1.3/debian/patches/series psensor-1.1.3/debian/patches/series
--- psensor-1.1.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ psensor-1.1.3/debian/patches/series 2018-04-24 21:23:26.000000000 +0200
@@ -0,0 +1 @@
+CVE-2014-10073.patch
Reply to: