Bug#896841: marked as done (jessie-pu: package psensor/1.1.3-2)

Sat, 23 Jun 2018 04:39:39 -0700 

Your message dated Sat, 23 Jun 2018 12:32:13 +0100
with message-id <[email protected]>
and subject line Closing bugs for requests included in the EoL jessie point 
release
has caused the Debian Bug report #896841,
regarding jessie-pu: package psensor/1.1.3-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
896841: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896841
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu

Hi,

I have prepared a security update for psensor to fix CVE-2014-10073 in
Jessie. This is Debian bug #896195. The security team has marked this
issue as no-dsa. I am going to upload the new revision shortly. Please
find attached the debdiff.

Regards,

Markus

diff -Nru psensor-1.1.3/debian/changelog psensor-1.1.3/debian/changelog
--- psensor-1.1.3/debian/changelog      2014-10-13 09:20:27.000000000 +0200
+++ psensor-1.1.3/debian/changelog      2018-04-24 21:23:26.000000000 +0200
@@ -1,3 +1,12 @@
+psensor (1.1.3-2+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2014-10073: The create_response function in server/server.c in
+    Psensor allows Directory Traversal because it lacks a check for whether a
+    file is under the webserver directory. (Closes: #896195)
+
+ -- Markus Koschany <[email protected]>  Tue, 24 Apr 2018 21:23:26 +0200
+
 psensor (1.1.3-2) unstable; urgency=medium
 
   * debian/control
diff -Nru psensor-1.1.3/debian/patches/CVE-2014-10073.patch 
psensor-1.1.3/debian/patches/CVE-2014-10073.patch
--- psensor-1.1.3/debian/patches/CVE-2014-10073.patch   1970-01-01 
01:00:00.000000000 +0100
+++ psensor-1.1.3/debian/patches/CVE-2014-10073.patch   2018-04-24 
21:23:26.000000000 +0200
@@ -0,0 +1,74 @@
+From: Markus Koschany <[email protected]>
+Date: Mon, 23 Apr 2018 23:51:42 +0200
+Subject: CVE-2014-10073
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896195
+Origin: 
http://git.wpitchoune.net/gitweb/?p=psensor.git;a=commitdiff;h=8b10426dcc0246c1712a99460dd470dcb1cc4d9c
+---
+ src/server/server.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/src/server/server.c b/src/server/server.c
+index 5862586..fd5662a 100644
+--- a/src/server/server.c
++++ b/src/server/server.c
+@@ -23,6 +23,7 @@
+ #include <libintl.h>
+ #define _(str) gettext(str)
+ 
++#include <limits.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -246,13 +247,24 @@ static struct MHD_Response *
+ create_response(const char *nurl, const char *method, unsigned int *rp_code)
+ {
+       struct MHD_Response *resp = NULL;
++      char *rpath;
++      int n;
+ 
+       if (!strncmp(nurl, URL_BASE_API_1_1, strlen(URL_BASE_API_1_1))) {
+               resp = create_response_api(nurl, method, rp_code);
+       } else {
+               char *fpath = get_path(nurl, server_data.www_dir);
+ 
+-              resp = create_response_file(nurl, method, rp_code, fpath);
++              rpath = realpath(fpath, NULL);
++              if (rpath) {
++                      n = strlen(server_data.www_dir);
++                      if (!strncmp(server_data.www_dir, rpath, n))
++                              resp = create_response_file(nurl,
++                                                          method,
++                                                          rp_code,
++                                                          fpath);
++                      free(rpath);
++              }
+ 
+               free(fpath);
+       }
+@@ -347,7 +359,7 @@ int main(int argc, char *argv[])
+               switch (optc) {
+               case 'w':
+                       if (optarg)
+-                              server_data.www_dir = strdup(optarg);
++                              server_data.www_dir = realpath(optarg, NULL);
+                       break;
+               case 'p':
+                       if (optarg)
+@@ -386,8 +398,14 @@ int main(int argc, char *argv[])
+               exit(EXIT_FAILURE);
+       }
+ 
+-      if (!server_data.www_dir)
+-              server_data.www_dir = strdup(DEFAULT_WWW_DIR);
++      if (!server_data.www_dir) {
++              server_data.www_dir = realpath(DEFAULT_WWW_DIR, NULL);
++              if (!server_data.www_dir) {
++                      fprintf(stderr,
++                              _("Webserver directory does not exist.\n"));
++                      exit(EXIT_FAILURE);
++              }
++      }
+ 
+       if (!log_file)
+               log_file = strdup(DEFAULT_LOG_FILE);
diff -Nru psensor-1.1.3/debian/patches/series 
psensor-1.1.3/debian/patches/series
--- psensor-1.1.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ psensor-1.1.3/debian/patches/series 2018-04-24 21:23:26.000000000 +0200
@@ -0,0 +1 @@
+CVE-2014-10073.patch

--- End Message ---
--- Begin Message --- 
Version: 8.11

Hi,

The updates referenced by these bugs were included in today's EoL point
release for jessie (8.11).

Regards,

Adam

--- End Message ---

Reply via email to