Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package websvn. It fixes a security issue. unblock websvn/2.3.3-1.2 Thanks, Thijs
diff -Nru websvn-2.3.3/debian/changelog websvn-2.3.3/debian/changelog --- websvn-2.3.3/debian/changelog 2012-04-17 17:32:27.000000000 +0000 +++ websvn-2.3.3/debian/changelog 2015-01-24 12:42:37.000000000 +0000 @@ -1,3 +1,11 @@ +websvn (2.3.3-1.2) unstable; urgency=high + + * Non-maintainer upload by the security team. + * Disable download of in-repository symlinks to prevent arbitrary + file access (CVE-2013-6892, Closes: #775682). + + -- Thijs Kinkhorst <[email protected]> Sat, 24 Jan 2015 12:31:44 +0000 + websvn (2.3.3-1.1) unstable; urgency=low * Non-maintainer upload. diff -Nru websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch --- websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch 1970-01-01 00:00:00.000000000 +0000 +++ websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch 2015-01-24 12:41:10.000000000 +0000 @@ -0,0 +1,39 @@ +Arbitrary files with a known path can be accessed in websvn by committing a +symlink to a repository and then downloading the file (using the download +link). + +Author: Thijs Kinkhorst <[email protected]> + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682 + +diff -ur oud/dl.php nieuw/dl.php +--- oud/dl.php 2015-01-18 16:03:30.688791512 +0100 ++++ nieuw/dl.php 2015-01-18 16:27:00.950897749 +0100 +@@ -137,6 +137,18 @@ + exit(0); + } + ++ // For security reasons, disallow direct downloads of filenames that ++ // are a symlink, since they may be a symlink to anywhere (/etc/passwd) ++ // Deciding whether the symlink is relative and legal within the ++ // repository would be nice but seems to error prone at this moment. ++ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) { ++ header('HTTP/1.x 500 Internal Server Error', true, 500); ++ error_log('to be downloaded file is symlink, aborting: '.$archiveName); ++ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".'; ++ removeDirectory($tempDir); ++ exit(0); ++ } ++ + // Set timestamp of exported directory (and subdirectories) to timestamp of + // the revision so every archive of a given revision has the same timestamp. + $revDate = $logEntry->date; +@@ -180,7 +192,7 @@ + $downloadMimeType = 'application/x-zip'; + $downloadArchive .= '.zip'; + // Create zip file +- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName); ++ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName); + execCommand($cmd, $retcode); + if ($retcode != 0) { + error_log('Unable to call zip command: '.$cmd); diff -Nru websvn-2.3.3/debian/patches/series websvn-2.3.3/debian/patches/series --- websvn-2.3.3/debian/patches/series 2011-06-11 15:01:59.000000000 +0000 +++ websvn-2.3.3/debian/patches/series 2015-01-24 12:41:27.000000000 +0000 @@ -1,3 +1,4 @@ +13_security_CVE-2013-6892.patch 21_fix_conf_file.patch 22_use_global_geshi.patch 25_readme_multiviews
