Your message dated Mon, 26 Jan 2015 08:41:25 +0100
with message-id <54c5efa5.8010...@thykier.net>
and subject line Re: Bug#776200: unblock: websvn/2.3.3-1.2
has caused the Debian Bug report #776200,
regarding unblock: websvn/2.3.3-1.2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
776200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776200
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package websvn.
It fixes a security issue.
unblock websvn/2.3.3-1.2
Thanks,
Thijs
diff -Nru websvn-2.3.3/debian/changelog websvn-2.3.3/debian/changelog
--- websvn-2.3.3/debian/changelog 2012-04-17 17:32:27.000000000 +0000
+++ websvn-2.3.3/debian/changelog 2015-01-24 12:42:37.000000000 +0000
@@ -1,3 +1,11 @@
+websvn (2.3.3-1.2) unstable; urgency=high
+
+ * Non-maintainer upload by the security team.
+ * Disable download of in-repository symlinks to prevent arbitrary
+ file access (CVE-2013-6892, Closes: #775682).
+
+ -- Thijs Kinkhorst <th...@debian.org> Sat, 24 Jan 2015 12:31:44 +0000
+
websvn (2.3.3-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch
--- websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch 1970-01-01 00:00:00.000000000 +0000
+++ websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch 2015-01-24 12:41:10.000000000 +0000
@@ -0,0 +1,39 @@
+Arbitrary files with a known path can be accessed in websvn by committing a
+symlink to a repository and then downloading the file (using the download
+link).
+
+Author: Thijs Kinkhorst <th...@debian.org>
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
+
+diff -ur oud/dl.php nieuw/dl.php
+--- oud/dl.php 2015-01-18 16:03:30.688791512 +0100
++++ nieuw/dl.php 2015-01-18 16:27:00.950897749 +0100
+@@ -137,6 +137,18 @@
+ exit(0);
+ }
+
++ // For security reasons, disallow direct downloads of filenames that
++ // are a symlink, since they may be a symlink to anywhere (/etc/passwd)
++ // Deciding whether the symlink is relative and legal within the
++ // repository would be nice but seems to error prone at this moment.
++ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
++ header('HTTP/1.x 500 Internal Server Error', true, 500);
++ error_log('to be downloaded file is symlink, aborting: '.$archiveName);
++ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
++ removeDirectory($tempDir);
++ exit(0);
++ }
++
+ // Set timestamp of exported directory (and subdirectories) to timestamp of
+ // the revision so every archive of a given revision has the same timestamp.
+ $revDate = $logEntry->date;
+@@ -180,7 +192,7 @@
+ $downloadMimeType = 'application/x-zip';
+ $downloadArchive .= '.zip';
+ // Create zip file
+- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
++ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
+ execCommand($cmd, $retcode);
+ if ($retcode != 0) {
+ error_log('Unable to call zip command: '.$cmd);
diff -Nru websvn-2.3.3/debian/patches/series websvn-2.3.3/debian/patches/series
--- websvn-2.3.3/debian/patches/series 2011-06-11 15:01:59.000000000 +0000
+++ websvn-2.3.3/debian/patches/series 2015-01-24 12:41:27.000000000 +0000
@@ -1,3 +1,4 @@
+13_security_CVE-2013-6892.patch
21_fix_conf_file.patch
22_use_global_geshi.patch
25_readme_multiviews
--- End Message ---
--- Begin Message ---
On 2015-01-25 13:27, Thijs Kinkhorst wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
>
> Please unblock package websvn.
>
> It fixes a security issue.
>
> unblock websvn/2.3.3-1.2
>
>
> Thanks,
> Thijs
>
Unblocked, thanks.
~Niels
--- End Message ---