commit: 196fa9022f136bcbd82ab6f52a8d4c617b0603d6 Author: Brian Evans <grknight <AT> gentoo <DOT> org> AuthorDate: Thu Aug 11 18:21:29 2016 +0000 Commit: Brian Evans <grknight <AT> gentoo <DOT> org> CommitDate: Thu Aug 11 18:26:27 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=196fa902
www-apps/websvn: Non-maintainer security revision bump and EAPI cleanup Remove the deprecated depend.php wrt bug 552838 Include Debian security patches wrt bug 552684, bug 575486, and bug 582234 Package-Manager: portage-2.3.0 .../websvn/files/13_security_CVE-2013-6892.patch | 39 ++++++++++++++ www-apps/websvn/files/30_CVE-2016-2511.patch | 11 ++++ www-apps/websvn/files/31_CVE-2016-1236.patch | 61 ++++++++++++++++++++++ www-apps/websvn/websvn-2.3.3-r1.ebuild | 54 +++++++++++++++++++ 4 files changed, 165 insertions(+) diff --git a/www-apps/websvn/files/13_security_CVE-2013-6892.patch b/www-apps/websvn/files/13_security_CVE-2013-6892.patch new file mode 100644 index 0000000..ffb14e8 --- /dev/null +++ b/www-apps/websvn/files/13_security_CVE-2013-6892.patch @@ -0,0 +1,39 @@ +Arbitrary files with a known path can be accessed in websvn by committing a +symlink to a repository and then downloading the file (using the download +link). + +Author: Thijs Kinkhorst <th...@debian.org> + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682 + +diff -ur oud/dl.php nieuw/dl.php +--- oud/dl.php 2015-01-18 16:03:30.688791512 +0100 ++++ nieuw/dl.php 2015-01-18 16:27:00.950897749 +0100 +@@ -137,6 +137,18 @@ + exit(0); + } + ++ // For security reasons, disallow direct downloads of filenames that ++ // are a symlink, since they may be a symlink to anywhere (/etc/passwd) ++ // Deciding whether the symlink is relative and legal within the ++ // repository would be nice but seems to error prone at this moment. ++ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) { ++ header('HTTP/1.x 500 Internal Server Error', true, 500); ++ error_log('to be downloaded file is symlink, aborting: '.$archiveName); ++ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".'; ++ removeDirectory($tempDir); ++ exit(0); ++ } ++ + // Set timestamp of exported directory (and subdirectories) to timestamp of + // the revision so every archive of a given revision has the same timestamp. + $revDate = $logEntry->date; +@@ -180,7 +192,7 @@ + $downloadMimeType = 'application/x-zip'; + $downloadArchive .= '.zip'; + // Create zip file +- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName); ++ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName); + execCommand($cmd, $retcode); + if ($retcode != 0) { + error_log('Unable to call zip command: '.$cmd); diff --git a/www-apps/websvn/files/30_CVE-2016-2511.patch b/www-apps/websvn/files/30_CVE-2016-2511.patch new file mode 100644 index 0000000..9c270bb --- /dev/null +++ b/www-apps/websvn/files/30_CVE-2016-2511.patch @@ -0,0 +1,11 @@ +--- orig/include/setup.php 2016-02-19 16:02:05.674756241 +0100 ++++ new/include/setup.php 2016-02-19 16:02:10.166832543 +0100 +@@ -467,7 +467,7 @@ + $vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26'); + + // To avoid a possible XSS exploit, need to clean up the passed-in path first +-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null; ++$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null; + if ($path === null || $path === '') + $path = '/'; + $vars['safepath'] = escape($path); diff --git a/www-apps/websvn/files/31_CVE-2016-1236.patch b/www-apps/websvn/files/31_CVE-2016-1236.patch new file mode 100644 index 0000000..13ff2be --- /dev/null +++ b/www-apps/websvn/files/31_CVE-2016-1236.patch @@ -0,0 +1,61 @@ +Description: CVE-2016-1236: XSS via directory or file in a repository containing XSS payload +Origin: vendor +Forwarded: no +Author: Nitin Venkatesh <venkatesh.ni...@gmail.com> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2016-05-08 + +--- a/revision.php ++++ b/revision.php +@@ -145,7 +145,7 @@ if ($rep) { + } + $resourceExisted = $change->action == 'M' || $change->copyfrom; + $listing[] = array( +- 'path' => $change->path, ++ 'path' => escape($change->path), + 'oldpath' => $change->copyfrom ? $change->copyfrom.' @ '.$change->copyrev : '', + 'action' => $change->action, + 'added' => $change->action == 'A', +--- a/log.php ++++ b/log.php +@@ -323,6 +323,9 @@ if ($rep) { + $listing[$index]['revadded'] = (isset($modpaths['A'])) ? implode('<br/>', $modpaths['A']) : ''; + $listing[$index]['revdeleted'] = (isset($modpaths['D'])) ? implode('<br/>', $modpaths['D']) : ''; + $listing[$index]['revmodified'] = (isset($modpaths['M'])) ? implode('<br/>', $modpaths['M']) : ''; ++ $listing[$index]['revadded'] = escape($listing[$index]['revadded']); ++ $listing[$index]['revdeleted'] = escape($listing[$index]['revdeleted']); ++ $listing[$index]['revmodified'] = escape($listing[$index]['revmodified']); + } + + $row = 1 - $row; +--- a/comp.php ++++ b/comp.php +@@ -381,7 +381,7 @@ if ($rep) { + $absnode .= $node; + } + +- $listing[$index]['newpath'] = $absnode; ++ $listing[$index]['newpath'] = escape($absnode); + + $listing[$index]['fileurl'] = $config->getURL($rep, $absnode, 'file').'rev='.$rev2; + +--- a/listing.php ++++ b/listing.php +@@ -123,7 +123,7 @@ function showDirFiles($svnrep, $subs, $l + $listing[$index]['level'] = ($treeview) ? $level : 0; + $listing[$index]['node'] = 0; // t-node + $listing[$index]['path'] = $path.$file; +- $listing[$index]['filename'] = $file; ++ $listing[$index]['filename'] = escape($file); + if ($isDir) { + $listing[$index]['fileurl'] = urlForPath($path.$file, $passRevString); + } else { +@@ -137,7 +137,7 @@ function showDirFiles($svnrep, $subs, $l + } + + if ($treeview) { +- $listing[$index]['compare_box'] = '<input type="checkbox" name="compare[]" value="'.$path.$file.'@'.$passrev.'" onclick="checkCB(this)" />'; ++ $listing[$index]['compare_box'] = '<input type="checkbox" name="compare[]" value="'.escape($path.$file).'@'.$passrev.'" onclick="checkCB(this)" />'; + } + if ($config->showLastModInListing()) { + $listing[$index]['committime'] = $entry->committime; diff --git a/www-apps/websvn/websvn-2.3.3-r1.ebuild b/www-apps/websvn/websvn-2.3.3-r1.ebuild new file mode 100644 index 0000000..27275ad --- /dev/null +++ b/www-apps/websvn/websvn-2.3.3-r1.ebuild @@ -0,0 +1,54 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI="6" + +inherit webapp + +MY_P="${P//_/}" + +DESCRIPTION="Web-based browsing tool for Subversion (SVN) repositories in PHP" +HOMEPAGE="http://www.websvn.info/ http://websvn.tigris.org/"; +DOWNLOAD_NUMBER="49056" +SRC_URI="http://websvn.tigris.org/files/documents/1380/${DOWNLOAD_NUMBER}/${MY_P}.tar.gz"; + +LICENSE="GPL-2" +IUSE="enscript" +KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc ~x86" + +DEPEND="" +RDEPEND="dev-lang/php:*[xml] + dev-vcs/subversion + virtual/httpd-php:* + enscript? ( app-text/enscript )" +RESTRICT="mirror" + +PATCHES=( + "${FILESDIR}/13_security_CVE-2013-6892.patch" + "${FILESDIR}/30_CVE-2016-2511.patch" + "${FILESDIR}/31_CVE-2016-1236.patch" +) + +S="${WORKDIR}/${MY_P}" + +src_install() { + webapp_src_preinst + + DOCS=( changes.txt ) + HTML_DOCS=( doc/* ) + einstalldocs + + mv include/{dist,}config.php + rm -rf license.txt changes.txt doc/ + + insinto "${MY_HTDOCSDIR}" + doins -r . + + webapp_configfile "${MY_HTDOCSDIR}"/include/config.php + webapp_configfile "${MY_HTDOCSDIR}"/wsvn.php + + webapp_serverowned "${MY_HTDOCSDIR}"/cache + + webapp_src_install +}
