Your message dated Sat, 24 Jan 2015 19:18:38 +0000 with message-id <e1yf6ea-0008uk...@franck.debian.org> and subject line Bug#775682: fixed in websvn 2.3.1-1+deb6u1 has caused the Debian Bug report #775682, regarding websvn: CVE-2013-6892: arbitrary file access when downloads enabled for users with commit access to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 775682: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: websvn Severity: serious Tags: security patch Hi, James Clawson reported: "Arbitrary files with a known path can be accessed in websvn by committing a symlink to a repository and then downloading the file (using the download link). An attacker must have write access to the repo, and the download option must have been enabled in the websvn config file. Example: - Create a symlink to /etc/passwd and commit it to the repo. - Access websvn and download the file. - The downloaded file will be the web server's /etc/passwd (i.e. the symlink is resolved on the web server). This will also work with symlinks to directories, but dlmode=zip must be added to the download link manually. Zip must be installed manually to be able to download directories." I've assigned CVE-2013-6892 to this issue. Please mention it in the changelog when fixing the issue. I've created attached patch which solves the bug. Cheers, Thijsdiff -ur oud/dl.php nieuw/dl.php --- oud/dl.php 2015-01-18 16:03:30.688791512 +0100 +++ nieuw/dl.php 2015-01-18 16:27:00.950897749 +0100 @@ -137,6 +137,18 @@ exit(0); } + // For security reasons, disallow direct downloads of filenames that + // are a symlink, since they may be a symlink to anywhere (/etc/passwd) + // Deciding whether the symlink is relative and legal within the + // repository would be nice but seems to error prone at this moment. + if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) { + header('HTTP/1.x 500 Internal Server Error', true, 500); + error_log('to be downloaded file is symlink, aborting: '.$archiveName); + print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".'; + removeDirectory($tempDir); + exit(0); + } + // Set timestamp of exported directory (and subdirectories) to timestamp of // the revision so every archive of a given revision has the same timestamp. $revDate = $logEntry->date; @@ -180,7 +192,7 @@ $downloadMimeType = 'application/x-zip'; $downloadArchive .= '.zip'; // Create zip file - $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName); + $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName); execCommand($cmd, $retcode); if ($retcode != 0) { error_log('Unable to call zip command: '.$cmd);
--- End Message ---
--- Begin Message ---Source: websvn Source-Version: 2.3.1-1+deb6u1 We believe that the bug you reported is fixed in the latest version of websvn, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 775...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <th...@debian.org> (supplier of updated websvn package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 24 Jan 2015 12:31:44 +0000 Source: websvn Binary: websvn Architecture: source all Version: 2.3.1-1+deb6u1 Distribution: squeeze-lts Urgency: high Maintainer: Pierre Chifflier <pol...@debian.org> Changed-By: Thijs Kinkhorst <th...@debian.org> Description: websvn - interface for Subversion repositories written in PHP Closes: 775682 Changes: websvn (2.3.1-1+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the security team. * Disable download of in-repository symlinks to prevent arbitrary file access (CVE-2013-6892, Closes: #775682). Checksums-Sha1: 0004104959ce476a2e739b290a5162234715af05 1327 websvn_2.3.1-1+deb6u1.dsc 9949834c4b5fa37f7f2240b47ccb7ca313fc8395 25518 websvn_2.3.1-1+deb6u1.diff.gz f8aebd29348ab556a10ba14c3afef65c6d478228 256202 websvn_2.3.1-1+deb6u1_all.deb Checksums-Sha256: eff678346fcd66a944ac12bb3dec163ae7a5b2efe9ee0f5b1f730687646c0889 1327 websvn_2.3.1-1+deb6u1.dsc c66257306a36cfc2c7be1a0782e9b64f6ff5d32d108c647607ef75b99c23008f 25518 websvn_2.3.1-1+deb6u1.diff.gz b7bdafdaefae47a061abcef2c36c25e0479b38e71b5613c287e3bc16fca204b7 256202 websvn_2.3.1-1+deb6u1_all.deb Files: 8d5c9d2d675778110bfac7db3cac9c3a 1327 devel optional websvn_2.3.1-1+deb6u1.dsc dbb360110f92ea25558f525e114feb73 25518 devel optional websvn_2.3.1-1+deb6u1.diff.gz 03b330c89efbb8d45dabf77e990cafdd 256202 devel optional websvn_2.3.1-1+deb6u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJUw9tOAAoJEFb2GnlAHawEvZ0H+QGXnqEK6jPU3V0Lpru534nt SEmPLjJBqcWarZVcak2Yx7P8tA99ZwksHFK+y5LbJrSALuQkkCc2fWOel4uJQzLj 9o8MczWrrQQKf8o3+hr6JlEnTz9rpMsytFTsBLvZx+9SmOpOGiNh2glGfoSDZD7h LWLRSq+zrtbeNncD/FcgsEQIBz4nd44wkI7/Ss0DA8eTkvmSMEdipEZb+XYAgYKd 9G5QzYUvUwbAVw3tj7Qz2qb0UvWjvgk+W/jz5p1+OARehIXcmV8d2E5BfeovHQsy No9GLkAkVLDPxxTxvFtVpNtBtYxRJ9Lh+RfN+Y4k6J01H98qzyrTGS49A4YouFM= =pWDW -----END PGP SIGNATURE-----
--- End Message ---
