Bug#804787: marked as done (jessie-pu: package servefile/0.4.3-1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 17 Jun 2018 20:24:44 +0100
with message-id <1529263484.2082.43.camel@adam-barratt.org.uk>
and subject line Re: Bug#804787: jessie-pu: package servefile/0.4.3-1
has caused the Debian Bug report #804787,
regarding jessie-pu: package servefile/0.4.3-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
804787: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804787
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: jessie-pu: package servefile/0.4.3-1
• From: Sebastian Lohff <seba@someserver.de>
• Date: Wed, 11 Nov 2015 17:39:16 +0100
• Message-id: <20151111163916.1474.54339.reportbug@claptrap.lair.seba-geek.de>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

there has been a directory traversal bug in servefile, it was fixed in
version 0.4.4. I talked to the Debian security team and they said a DSA
would not be necessary and recommended doing a stable-pu. Therefore
I'd like to propose an update to 0.4.4 (debdiff attached).

Greetings,
seba

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru servefile-0.4.3/ChangeLog servefile-0.4.4/ChangeLog
--- servefile-0.4.3/ChangeLog	2013-12-28 01:55:41.000000000 +0100
+++ servefile-0.4.4/ChangeLog	2015-11-10 21:05:35.000000000 +0100
@@ -1,6 +1,18 @@
 servefile changelog
 ===================
 
+2015-11-10 v0.4.4
+-----------------
+
+	0.4.4 released
+
+	* prefer using TLS1.2/TLS1 with --ssl if available
+	* issue v3 certificates for self signed certificates with --ssl
+	* removed lots of unnecessary error output
+	* fixed a bug where wrong ranges were used on a HEAD request in directory listing mode
+	* fixed a bug where directory listing mode allowed path traversal
+
+
 2013-12-28 v0.4.3
 -----------------
 
diff -Nru servefile-0.4.3/debian/changelog servefile-0.4.4/debian/changelog
--- servefile-0.4.3/debian/changelog	2014-08-12 22:11:04.000000000 +0200
+++ servefile-0.4.4/debian/changelog	2015-11-11 15:52:59.000000000 +0100
@@ -1,3 +1,9 @@
+servefile (0.4.4-1~deb8u1) jessie; urgency=high
+
+  * New upstream version
+
+ -- Sebastian Lohff <seba@someserver.de>  Tue, 10 Nov 2015 21:22:17 +0100
+
 servefile (0.4.3-1) unstable; urgency=low
 
   * New upstream version
diff -Nru servefile-0.4.3/debian/control servefile-0.4.4/debian/control
--- servefile-0.4.3/debian/control	2014-08-13 00:41:01.000000000 +0200
+++ servefile-0.4.4/debian/control	2015-11-10 21:27:07.000000000 +0100
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Sebastian Lohff <seba@someserver.de>
 Build-Depends: debhelper (>= 9.0~), python
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
 Homepage: http://seba-geek.de/stuff/servefile/
 
 Package: servefile
diff -Nru servefile-0.4.3/PKG-INFO servefile-0.4.4/PKG-INFO
--- servefile-0.4.3/PKG-INFO	2013-12-28 02:31:38.000000000 +0100
+++ servefile-0.4.4/PKG-INFO	2015-11-10 21:13:09.000000000 +0100
@@ -1,6 +1,6 @@
 Metadata-Version: 1.0
 Name: servefile
-Version: 0.4.3
+Version: 0.4.4
 Summary: Serve files from shell via a small HTTP server
 Home-page: http://seba-geek.de/stuff/servefile/
 Author: Sebastian Lohff
diff -Nru servefile-0.4.3/servefile servefile-0.4.4/servefile
--- servefile-0.4.3/servefile	2013-12-28 02:21:57.000000000 +0100
+++ servefile-0.4.4/servefile	2015-11-10 20:54:36.000000000 +0100
@@ -7,7 +7,7 @@
 
 from __future__ import print_function
 
-__version__ = '0.4.3'
+__version__ = '0.4.4'
 
 import argparse
 import base64
@@ -16,7 +16,6 @@
 import mimetypes
 import urllib
 import os
-import posixpath
 import re
 import select
 import socket
@@ -102,7 +101,7 @@
 					try:
 						fromto[0] = int(fromto[0])
 						fromto[1] = int(fromto[1])
-					except:
+					except ValueError:
 						return (False, None)
 
 					if fromto[0] >= fileLength or fromto[0] < 0 or fromto[1] >= fileLength or fromto[1]-fromto[0] < 0:
@@ -154,11 +153,7 @@
 		self.end_headers()
 		block = self.getChunk(myfile, fromto)
 		while block:
-			try:
-				self.wfile.write(block)
-			except socket.error as e:
-				print("%s ABORTED transmission (Reason %s: %s)" % (self.client_address[0], e[0], e[1]))
-				return False
+			self.wfile.write(block)
 			block = self.getChunk(myfile, fromto)
 		myfile.close()
 		print("%s finished downloading %s" % (self.client_address[0], filePath))
@@ -310,6 +305,15 @@
 		""" Send file or directory index, depending on requested path """
 		path = self.getCleanPath()
 
+		# check if path is in current serving directory
+		currBaseDir = os.path.abspath(self.targetDir) + os.path.sep
+		requestPath = os.path.normpath(os.path.join(currBaseDir, path)) + os.path.sep
+		if not requestPath.startswith(currBaseDir):
+			self.send_response(301)
+			self.send_header("Location", '/')
+			self.end_headers()
+			return
+
 		if os.path.isdir(path):
 			if not self.path.endswith('/'):
 				self.send_response(301)
@@ -325,7 +329,7 @@
 					self.end_headers()
 				else:
 					self.send_response(200)
-					self.sendContentHeaders(self, path, length)
+					self.sendContentHeaders(path, length)
 					self.end_headers()
 			else:
 				self.sendFile(path, head)
@@ -406,7 +410,7 @@
 			</tr>
 		</thead>
 		<tbody>
-		""" % {'path': posixpath.normpath(urllib.unquote(self.path))}
+		""" % {'path': os.path.normpath(urllib.unquote(self.path))}
 		footer = """</tbody></table></div>
 <div class="footer"><a href="http://seba-geek.de/stuff/servefile/";>servefile %(version)s</a></div>
 </body>
@@ -468,7 +472,7 @@
 		return (size, ext.strip())
 
 	def getCleanPath(self):
-		urlPath = posixpath.normpath(urllib.unquote(self.path)).strip("/")
+		urlPath = os.path.normpath(urllib.unquote(self.path)).strip("/")
 		path = os.path.join(self.targetDir, urlPath)
 		return path
 
@@ -626,7 +630,9 @@
 		# never reached
 
 class ThreadedHTTPServer(SocketServer.ThreadingMixIn, BaseHTTPServer.HTTPServer):
-	pass
+	def handle_error(self, request, client_address):
+		print("%s ABORTED transmission (Reason: %s)" % (client_address[0], sys.exc_value))
+
 
 def catchSSLErrors(BaseSSLClass):
 	""" Class decorator which catches SSL errors and prints them. """
@@ -645,7 +651,19 @@
 class SecureThreadedHTTPServer(ThreadedHTTPServer):
 	def __init__(self, pubKey, privKey, server_address, RequestHandlerClass, bind_and_activate=True):
 		ThreadedHTTPServer.__init__(self, server_address, RequestHandlerClass, bind_and_activate)
-		ctx = SSL.Context(SSL.SSLv23_METHOD)
+
+		# choose TLS1.2 or TLS1, if available
+		sslMethod = None
+		if hasattr(SSL, "TLSv1_2_METHOD"):
+			sslMethod = SSL.TLSv1_2_METHOD
+		elif hasattr(SSL, "TLSv1_METHOD"):
+			sslMethod = SSL.TLSv1_METHOD
+		else:
+			# only SSLv23 available
+			print("Warning: Only SSLv2/SSLv3 is available, connection might be insecure.")
+			sslMethod = SSL.SSLv23_METHOD
+
+		ctx = SSL.Context(sslMethod)
 		if type(pubKey) is crypto.X509 and type(privKey) is crypto.PKey:
 			ctx.use_certificate(pubKey)
 			ctx.use_privatekey(privKey)
@@ -661,7 +679,11 @@
 			self.server_activate()
 
 	def shutdown_request(self, request):
-		request.shutdown()
+		try:
+			request.shutdown()
+		except SSL.Error:
+			# ignore SSL errors on connection shutdown
+			pass
 
 
 class SecureHandler():
@@ -782,6 +804,8 @@
 		req.sign(pkey, "sha1")
 
 		cert = crypto.X509()
+		# Mozilla only accepts v3 certificates with v3 extensions, not v1
+		cert.set_version(0x2)
 		# some browsers complain if they see a cert from the same authority
 		# with the same serial ==> we just use the seconds as serial.
 		cert.set_serial_number(int(time.time()))
diff -Nru servefile-0.4.3/servefile.1 servefile-0.4.4/servefile.1
--- servefile-0.4.3/servefile.1	2013-12-28 02:30:48.000000000 +0100
+++ servefile-0.4.4/servefile.1	2015-11-10 21:12:39.000000000 +0100
@@ -1,4 +1,4 @@
-.TH SERVEFILE 1 "December 2013" "servefile 0.4.3" "User Commands"
+.TH SERVEFILE 1 "November 2015" "servefile 0.4.4" "User Commands"
 
 .SH NAME
 servefile \- small HTTP-Server for temporary file transfer
diff -Nru servefile-0.4.3/setup.py servefile-0.4.4/setup.py
--- servefile-0.4.3/setup.py	2013-12-28 02:22:22.000000000 +0100
+++ servefile-0.4.4/setup.py	2015-11-10 21:11:58.000000000 +0100
@@ -7,7 +7,7 @@
 	description='Serve files from shell via a small HTTP server',
 	long_description='Serve files from shell via a small HTTP server. The server redirects all HTTP requests to the file, so only IP and port must be given to another user to access the file. Its main purpose is to quickly send a file to users in your local network, independent of their current setup (OS/software). Beneath that it also supports uploads, SSL, HTTP basic auth and directory listings.',
 	platforms='posix',
-	version='0.4.3',
+	version='0.4.4',
 	license='GPLv3 or later',
 	url='http://seba-geek.de/stuff/servefile/',
 	author='Sebastian Lohff',

--- End Message ---

--- Begin Message ---

• To: 804787-done@bugs.debian.org, Sebastian Lohff <seba@someserver.de>
• Subject: Re: Bug#804787: jessie-pu: package servefile/0.4.3-1
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sun, 17 Jun 2018 20:24:44 +0100
• Message-id: <1529263484.2082.43.camel@adam-barratt.org.uk>
• In-reply-to: <[🔎] 1528920730.2806.69.camel@adam-barratt.org.uk>
• References: <20151111163916.1474.54339.reportbug@claptrap.lair.seba-geek.de> <706d2342c9f1dc5648fa3eb893727eae@mail.adam-barratt.org.uk> <565497E1.10700@someserver.de> <1451671691.2006.30.camel@adam-barratt.org.uk> <20151111163916.1474.54339.reportbug@claptrap.lair.seba-geek.de> <[🔎] 1528920730.2806.69.camel@adam-barratt.org.uk>

Control: tags -1 + wontfix

On Wed, 2018-06-13 at 21:12 +0100, Adam D. Barratt wrote:
> On Fri, 2016-01-01 at 18:08 +0000, Adam D. Barratt wrote:
> > On Tue, 2015-11-24 at 18:01 +0100, Sebastian Lohff wrote:
> > > I attached a new debdiff with a more meaningful changelog.
> > > 
> > > +servefile (0.4.4-1~deb8u1) jessie; urgency=high
> > > +
> > > +  * Upstream bugfix release
> > > +  * Fix for path traversal bug in directory listing mode
> > > +  * SSL hardening (prefer TLS1.2/TLS1)
> > 
> > Thanks.
> > 
> > +               # choose TLS1.2 or TLS1, if available
> > +               sslMethod = None
> > +               if hasattr(SSL, "TLSv1_2_METHOD"):
> > +                       sslMethod = SSL.TLSv1_2_METHOD
> > +               elif hasattr(SSL, "TLSv1_METHOD"):
> > +                       sslMethod = SSL.TLSv1_METHOD
> > 
> > Why is TLS1.1 explicitly avoided here? Might it make more sense to
> > use
> > TLS_METHOD and SSL_OP_NO_SSLv3 and let the client and server
> > negotiate
> > the highest mutually-supported protocol?
> > 
> 
> Ping?
> 
> The above mail was sent nearly 2.5 years ago, and there's been no
> follow-up. The window for getting fixes into jessie before it becomes
> LTS closes during the coming weekend.

Unfortunately there was no reply to the above query, and the window for
getting fixes in to the final point release for jessie (before it moves
to LTS support) has now closed.

Regards,

Adam

--- End Message ---