[uzbl] Add patch for cookie file permissions
Ben Boeckel
mathstuf at fedoraproject.org
Fri Feb 24 01:27:10 UTC 2012
commit fc6f0c5af1790ec86bfcf446c9262058517f1fb4
Author: Ben Boeckel <mathstuf at gmail.com>
Date: Thu Feb 23 20:15:56 2012 -0500
Add patch for cookie file permissions
...ird-party-access-to-cookie-jar-CVE-2012-0.patch | 79 ++++++++++++++++++++
uzbl.spec | 9 ++-
2 files changed, 87 insertions(+), 1 deletions(-)
---
diff --git a/0001-Restrict-third-party-access-to-cookie-jar-CVE-2012-0.patch b/0001-Restrict-third-party-access-to-cookie-jar-CVE-2012-0.patch
new file mode 100644
index 0000000..e0c7363
--- /dev/null
+++ b/0001-Restrict-third-party-access-to-cookie-jar-CVE-2012-0.patch
@@ -0,0 +1,79 @@
+From 0d747f8715f2b9d2acddda8748e0c3f838f197de Mon Sep 17 00:00:00 2001
+From: Luca Bruno <lucab at debian.org>
+Date: Sat, 11 Feb 2012 15:23:14 +0100
+Subject: [PATCH] Restrict third-party access to cookie jar (CVE-2012-0843)
+
+Make sure new cookie jar is created with no permission for "others",
+and remove excessive rights on existing jar if any.
+This fixes CVE-2012-0843 and uzbl bug #291.
+
+Signed-off-by: Luca Bruno <lucab at debian.org>
+---
+ examples/data/plugins/cookies.py | 20 +++++++++++++++++++-
+ 1 files changed, 19 insertions(+), 1 deletions(-)
+
+diff --git a/examples/data/plugins/cookies.py b/examples/data/plugins/cookies.py
+index e29ee36..721feef 100644
+--- a/examples/data/plugins/cookies.py
++++ b/examples/data/plugins/cookies.py
+@@ -2,7 +2,7 @@
+ forwards cookies to all other instances connected to the event manager"""
+
+ from collections import defaultdict
+-import os, re
++import os, re, stat
+
+ # these are symbolic names for the components of the cookie tuple
+ symbolic = {'domain': 0, 'path':1, 'name':2, 'value':3, 'scheme':4, 'expires':5}
+@@ -32,6 +32,14 @@ class ListStore(list):
+ class TextStore(object):
+ def __init__(self, filename):
+ self.filename = filename
++ try:
++ # make sure existing cookie jar is not world-open
++ perm_mode = os.stat(self.filename).st_mode
++ if (perm_mode & (stat.S_IRWXO | stat.S_IRWXG)) > 0:
++ safe_perm = stat.S_IMODE(perm_mode) & ~(stat.S_IRWXO | stat.S_IRWXG)
++ os.chmod(self.filename, safe_perm)
++ except OSError:
++ pass
+
+ def as_event(self, cookie):
+ """Convert cookie.txt row to uzbls cookie event format"""
+@@ -76,16 +84,25 @@ class TextStore(object):
+ # delete equal cookies (ignoring expire time, value and secure flag)
+ self.delete_cookie(None, cookie[:-3])
+
++ # restrict umask before creating the cookie jar
++ curmask=os.umask(0)
++ os.umask(curmask| stat.S_IRWXO | stat.S_IRWXG)
++
+ first = not os.path.exists(self.filename)
+ with open(self.filename, 'a') as f:
+ if first:
+ print >> f, "# HTTP Cookie File"
+ print >> f, '\t'.join(self.as_file(cookie))
++ os.umask(curmask)
+
+ def delete_cookie(self, rkey, key):
+ if not os.path.exists(self.filename):
+ return
+
++ # restrict umask before creating the cookie jar
++ curmask=os.umask(0)
++ os.umask(curmask | stat.S_IRWXO | stat.S_IRWXG)
++
+ # read all cookies
+ with open(self.filename, 'r') as f:
+ cookies = f.readlines()
+@@ -96,6 +113,7 @@ class TextStore(object):
+ c = self.as_event(l.split('\t'))
+ if c is None or not match(key, c):
+ print >> f, l,
++ os.umask(curmask)
+
+ xdg_data_home = os.environ.get('XDG_DATA_HOME', os.path.join(os.environ['HOME'], '.local/share'))
+ DefaultStore = TextStore(os.path.join(xdg_data_home, 'uzbl/cookies.txt'))
+--
+1.7.9.1
+
diff --git a/uzbl.spec b/uzbl.spec
index 95497f2..f10f0c2 100644
--- a/uzbl.spec
+++ b/uzbl.spec
@@ -5,7 +5,7 @@ Name: uzbl
Summary: Lightweight WebKit browser following the UNIX philosophy
Group: Applications/Internet
Version: 0
-Release: 0.27.20111001git%{uzblcommit}%{?dist}
+Release: 0.28.20111001git%{uzblcommit}%{?dist}
License: GPLv3
URL: http://www.uzbl.org
# The source for this package was pulled from upstream's vcs. Use the
@@ -26,6 +26,8 @@ Patch2: 0001-javascriptcoregtk-3.0-is-required-for-webkitgtk3.patch
Patch3: 0002-Check-if-glib-needs-g_thread_init.patch
# Submitted at https://github.com/Dieterbe/uzbl/pull/72
Patch4: 0001-Get-the-click-context-all-the-time.patch
+# From upstream
+Patch5: 0001-Restrict-third-party-access-to-cookie-jar-CVE-2012-0.patch
%if %{use_webkitgtk3}
BuildRequires: webkitgtk3-devel
@@ -112,6 +114,7 @@ Highlighting files for uzbl's configuration.
%patch2 -p1 -b .jscore
%patch3 -p1 -b .gthread_init
%patch4 -p1 -b .context
+%patch5 -p1 -b .cookie-perms
mkdir -p icons/hicolor/32x32/apps
mv examples/data/uzbl.png icons/hicolor/32x32/apps
@@ -185,6 +188,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%changelog
+* Thu Feb 23 2012 Ben Boeckel <mathstuf at gmail.com> - 0-0.28.20111001git9576f59f05
+- Lock down permissions on cookie files (CVE-2012-0843)
+- Clean up vim subpackage
+
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0-0.27.20111001git9576f59f05
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
More information about the scm-commits
mailing list