Bug#982996: buster-pu: package awstats/7.6+dfsg-2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: haavard_aasen@yahoo.no
These are the same changes which was implemented in stretch, two
upstream patches. Both of these patches resolves a path traversal flaw,
which was first discovered with CVE-2017-1000501.
[ Reason ]
This update fixes bug #891469 and #977197 which is CVE-2020-29600
and CVE-2020-35176
[ Impact ]
Possibility to parse and read files in /etc directory
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Regards,
Håvard
diff -Nru awstats-7.6+dfsg/debian/changelog awstats-7.6+dfsg/debian/changelog
--- awstats-7.6+dfsg/debian/changelog 2018-02-02 02:21:35.000000000 +0100
+++ awstats-7.6+dfsg/debian/changelog 2021-02-02 09:35:23.000000000 +0100
@@ -1,3 +1,19 @@
+awstats (7.6+dfsg-2+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2020-29600: cgi-bin/awstats.pl?config= accepts an absolute
+ pathname, even though it was intended to only read a file in the
+ /etc/awstats/awstats.conf format. NOTE: this issue exists because of
+ an incomplete fix for CVE-2017-1000501. Closes: #891469
+ * CVE-2020-35176: in AWStats through 7.8, cgi-bin/awstats.pl?config=
+ accepts a partial absolute pathname (omitting the initial /etc), even
+ though it was intended to only read a file in the
+ /etc/awstats/awstats.conf format. NOTE: this issue exists because of
+ an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
+ Closes: #977190
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no> Tue, 02 Feb 2021 09:35:23 +0100
+
awstats (7.6+dfsg-2) unstable; urgency=medium
* QA upload.
diff -Nru awstats-7.6+dfsg/debian/patches/CVE-2020-29600.patch awstats-7.6+dfsg/debian/patches/CVE-2020-29600.patch
--- awstats-7.6+dfsg/debian/patches/CVE-2020-29600.patch 1970-01-01 01:00:00.000000000 +0100
+++ awstats-7.6+dfsg/debian/patches/CVE-2020-29600.patch 2021-02-02 09:35:23.000000000 +0100
@@ -0,0 +1,55 @@
+From: Laurent Destailleur <eldy@destailleur.fr>
+Date: Mon, 17 Dec 2018 12:59:51 +0100
+Subject: [PATCH] FIX #90
+
+Fixes #90/CVE-2020-29600
+
+Origin: upstream, https://github.com/eldy/awstats/commit/d4d815d0caae3dbae83ac70a1ae4581bd57cf376
+Bug: https://github.com/eldy/awstats/issues/90
+Bug-Debian: https://bugs.debian.org/#891469
+Last-Update: 2021-02-02
+Reviewed-by: Håvard Flaget Aasen <haavard_aasen@yahoo.no>
+
+---
+ wwwroot/cgi-bin/awstats.pl | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+--- a/wwwroot/cgi-bin/awstats.pl
++++ b/wwwroot/cgi-bin/awstats.pl
+@@ -1781,21 +1781,21 @@
+ }
+
+ #CL - Added to open config if full path is passed to awstats
+- if ( !$FileConfig ) {
+-
+- my $SiteConfigBis = File::Spec->rel2abs($SiteConfig);
+- debug("Finally, try to open an absolute path : $SiteConfigBis", 2);
+-
+- if ( -f $SiteConfigBis && open(CONFIG, "$SiteConfigBis")) {
+- $FileConfig = "$SiteConfigBis";
+- $FileSuffix = '';
+- if ($Debug){debug("Opened config: $SiteConfigBis", 2);}
+- $SiteConfig=$SiteConfigBis;
+- }
+- else {
+- if ($Debug){debug("Unable to open config file: $SiteConfigBis", 2);}
+- }
+- }
++ #if ( !$FileConfig ) {
++ #
++ # my $SiteConfigBis = File::Spec->rel2abs($SiteConfig);
++ # debug("Finally, try to open an absolute path : $SiteConfigBis", 2);
++ #
++ # if ( -f $SiteConfigBis && open(CONFIG, "$SiteConfigBis")) {
++ # $FileConfig = "$SiteConfigBis";
++ # $FileSuffix = '';
++ # if ($Debug){debug("Opened config: $SiteConfigBis", 2);}
++ # $SiteConfig=$SiteConfigBis;
++ # }
++ # else {
++ # if ($Debug){debug("Unable to open config file: $SiteConfigBis", 2);}
++ # }
++ # }
+
+ if ( !$FileConfig ) {
+ if ($DEBUGFORCED || !$ENV{'GATEWAY_INTERFACE'}){
diff -Nru awstats-7.6+dfsg/debian/patches/CVE-2020-35176.patch awstats-7.6+dfsg/debian/patches/CVE-2020-35176.patch
--- awstats-7.6+dfsg/debian/patches/CVE-2020-35176.patch 1970-01-01 01:00:00.000000000 +0100
+++ awstats-7.6+dfsg/debian/patches/CVE-2020-35176.patch 2021-02-02 09:35:23.000000000 +0100
@@ -0,0 +1,33 @@
+From: Beuc <beuc@beuc.net>
+Date: Thu, 17 Dec 2020 18:14:43 +0100
+Subject: Only look for configuration in dedicated awstats directories
+
+Fixes #195/CVE-2020-35176
+
+Origin: upstream, https://github.com/eldy/AWStats/pull/196/commits/0d4d4c05f8e73be8f71dd361dc55cbd52858b823
+Bug: https://github.com/eldy/awstats/issues/195
+Bug-Debian: https://bugs.debian.org/#977190
+---
+ wwwroot/cgi-bin/awstats.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
+index a003993..598d6b7 100755
+--- a/wwwroot/cgi-bin/awstats.pl
++++ b/wwwroot/cgi-bin/awstats.pl
+@@ -1677,13 +1677,13 @@ sub Read_Config {
+ # Check config file in common possible directories :
+ # Windows : "$DIR" (same dir than awstats.pl)
+ # Standard, Mandrake and Debian package : "/etc/awstats"
+- # Other possible directories : "/usr/local/etc/awstats", "/etc"
++ # Other possible directories : "/usr/local/etc/awstats",
+ # FHS standard, Suse package : "/etc/opt/awstats"
+ my $configdir = shift;
+ my @PossibleConfigDir = (
+ "$DIR",
+ "/etc/awstats",
+- "/usr/local/etc/awstats", "/etc",
++ "/usr/local/etc/awstats",
+ "/etc/opt/awstats"
+ );
+
diff -Nru awstats-7.6+dfsg/debian/patches/series awstats-7.6+dfsg/debian/patches/series
--- awstats-7.6+dfsg/debian/patches/series 2017-12-15 21:55:12.000000000 +0100
+++ awstats-7.6+dfsg/debian/patches/series 2021-02-02 09:35:23.000000000 +0100
@@ -13,3 +13,5 @@
2009_googlesearch.patch
CVE-2017-1000501-1.patch
CVE-2017-1000501-2.patch
+CVE-2020-29600.patch
+CVE-2020-35176.patch
Reply to: