Bug#982996: marked as done (buster-pu: package awstats/7.6+dfsg-2)

Debian Bug Tracking System Sat, 19 Jun 2021 03:00:36 -0700

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id 
<5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #982996,
regarding buster-pu: package awstats/7.6+dfsg-2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
982996: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982996
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]

These  are the same changes which was implemented in stretch, two
upstream patches. Both of these patches resolves a path traversal flaw,
which was first discovered with CVE-2017-1000501.


[ Reason ]
This update fixes bug #891469 and #977197 which is CVE-2020-29600
and CVE-2020-35176

[ Impact ]
Possibility to parse and read files in /etc directory

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable


Regards,
Håvard


diff -Nru awstats-7.6+dfsg/debian/changelog awstats-7.6+dfsg/debian/changelog
--- awstats-7.6+dfsg/debian/changelog   2018-02-02 02:21:35.000000000 +0100
+++ awstats-7.6+dfsg/debian/changelog   2021-02-02 09:35:23.000000000 +0100
@@ -1,3 +1,19 @@
+awstats (7.6+dfsg-2+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2020-29600: cgi-bin/awstats.pl?config= accepts an absolute
+    pathname, even though it was intended to only read a file in the
+    /etc/awstats/awstats.conf format. NOTE: this issue exists because of
+    an incomplete fix for CVE-2017-1000501. Closes: #891469
+  * CVE-2020-35176: in AWStats through 7.8, cgi-bin/awstats.pl?config=
+    accepts a partial absolute pathname (omitting the initial /etc), even
+    though it was intended to only read a file in the
+    /etc/awstats/awstats.conf format. NOTE: this issue exists because of
+    an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
+    Closes: #977190
+
+ -- Håvard Flaget Aasen <[email protected]>  Tue, 02 Feb 2021 09:35:23 
+0100
+
 awstats (7.6+dfsg-2) unstable; urgency=medium

   * QA upload.
diff -Nru awstats-7.6+dfsg/debian/patches/CVE-2020-29600.patch 
awstats-7.6+dfsg/debian/patches/CVE-2020-29600.patch
--- awstats-7.6+dfsg/debian/patches/CVE-2020-29600.patch        1970-01-01 
01:00:00.000000000 +0100
+++ awstats-7.6+dfsg/debian/patches/CVE-2020-29600.patch        2021-02-02 
09:35:23.000000000 +0100
@@ -0,0 +1,55 @@
+From: Laurent Destailleur <[email protected]>
+Date: Mon, 17 Dec 2018 12:59:51 +0100
+Subject: [PATCH] FIX #90
+
+Fixes #90/CVE-2020-29600
+
+Origin: upstream, 
https://github.com/eldy/awstats/commit/d4d815d0caae3dbae83ac70a1ae4581bd57cf376
+Bug: https://github.com/eldy/awstats/issues/90
+Bug-Debian: https://bugs.debian.org/#891469
+Last-Update: 2021-02-02
+Reviewed-by: Håvard Flaget Aasen <[email protected]>
+
+---
+ wwwroot/cgi-bin/awstats.pl | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+--- a/wwwroot/cgi-bin/awstats.pl
++++ b/wwwroot/cgi-bin/awstats.pl
+@@ -1781,21 +1781,21 @@
+       }
+
+       #CL - Added to open config if full path is passed to awstats
+-      if ( !$FileConfig ) {
+-
+-              my $SiteConfigBis = File::Spec->rel2abs($SiteConfig);
+-              debug("Finally, try to open an absolute path : $SiteConfigBis", 
2);
+-
+-              if ( -f $SiteConfigBis && open(CONFIG, "$SiteConfigBis")) {
+-                      $FileConfig = "$SiteConfigBis";
+-                      $FileSuffix = '';
+-                      if ($Debug){debug("Opened config: $SiteConfigBis", 2);}
+-                      $SiteConfig=$SiteConfigBis;
+-              }
+-              else {
+-                      if ($Debug){debug("Unable to open config file: 
$SiteConfigBis", 2);}
+-              }
+-      }
++    #if ( !$FileConfig ) {
++    #
++    #         my $SiteConfigBis = File::Spec->rel2abs($SiteConfig);
++    #         debug("Finally, try to open an absolute path : $SiteConfigBis", 
2);
++    #
++    #         if ( -f $SiteConfigBis && open(CONFIG, "$SiteConfigBis")) {
++    #                 $FileConfig = "$SiteConfigBis";
++    #                 $FileSuffix = '';
++    #                 if ($Debug){debug("Opened config: $SiteConfigBis", 2);}
++    #                 $SiteConfig=$SiteConfigBis;
++    #         }
++    #         else {
++    #                 if ($Debug){debug("Unable to open config file: 
$SiteConfigBis", 2);}
++    #         }
++    # }
+
+       if ( !$FileConfig ) {
+               if ($DEBUGFORCED || !$ENV{'GATEWAY_INTERFACE'}){
diff -Nru awstats-7.6+dfsg/debian/patches/CVE-2020-35176.patch 
awstats-7.6+dfsg/debian/patches/CVE-2020-35176.patch
--- awstats-7.6+dfsg/debian/patches/CVE-2020-35176.patch        1970-01-01 
01:00:00.000000000 +0100
+++ awstats-7.6+dfsg/debian/patches/CVE-2020-35176.patch        2021-02-02 
09:35:23.000000000 +0100
@@ -0,0 +1,33 @@
+From: Beuc <[email protected]>
+Date: Thu, 17 Dec 2020 18:14:43 +0100
+Subject: Only look for configuration in dedicated awstats directories
+
+Fixes #195/CVE-2020-35176
+
+Origin: upstream, 
https://github.com/eldy/AWStats/pull/196/commits/0d4d4c05f8e73be8f71dd361dc55cbd52858b823
+Bug: https://github.com/eldy/awstats/issues/195
+Bug-Debian: https://bugs.debian.org/#977190
+---
+ wwwroot/cgi-bin/awstats.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
+index a003993..598d6b7 100755
+--- a/wwwroot/cgi-bin/awstats.pl
++++ b/wwwroot/cgi-bin/awstats.pl
+@@ -1677,13 +1677,13 @@ sub Read_Config {
+       # Check config file in common possible directories :
+       # Windows :                                             "$DIR" (same 
dir than awstats.pl)
+       # Standard, Mandrake and Debian package :       "/etc/awstats"
+-      # Other possible directories :                          
"/usr/local/etc/awstats", "/etc"
++      # Other possible directories :                          
"/usr/local/etc/awstats",
+       # FHS standard, Suse package :                          
"/etc/opt/awstats"
+       my $configdir         = shift;
+       my @PossibleConfigDir = (
+                       "$DIR",
+                       "/etc/awstats",
+-                      "/usr/local/etc/awstats", "/etc",
++                      "/usr/local/etc/awstats",
+                       "/etc/opt/awstats"
+               );
+
diff -Nru awstats-7.6+dfsg/debian/patches/series 
awstats-7.6+dfsg/debian/patches/series
--- awstats-7.6+dfsg/debian/patches/series      2017-12-15 21:55:12.000000000 
+0100
+++ awstats-7.6+dfsg/debian/patches/series      2021-02-02 09:35:23.000000000 
+0100
@@ -13,3 +13,5 @@
 2009_googlesearch.patch
 CVE-2017-1000501-1.patch
 CVE-2017-1000501-2.patch
+CVE-2020-29600.patch
+CVE-2020-35176.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---

Bug#982996: marked as done (buster-pu: package awstats/7.6+dfsg-2)

Reply via email to