[uzbl] Add patch for cookie file permissions

Fri Feb 24 01:27:10 UTC 2012

commit fc6f0c5af1790ec86bfcf446c9262058517f1fb4
Author: Ben Boeckel <mathstuf at gmail.com>
Date:   Thu Feb 23 20:15:56 2012 -0500

    Add patch for cookie file permissions

 ...ird-party-access-to-cookie-jar-CVE-2012-0.patch |   79 ++++++++++++++++++++
 uzbl.spec                                          |    9 ++-
 2 files changed, 87 insertions(+), 1 deletions(-)
---

diff --git a/0001-Restrict-third-party-access-to-cookie-jar-CVE-2012-0.patch b/0001-Restrict-third-party-access-to-cookie-jar-CVE-2012-0.patch
new file mode 100644
index 0000000..e0c7363
--- /dev/null
+++ b/0001-Restrict-third-party-access-to-cookie-jar-CVE-2012-0.patch
@@ -0,0 +1,79 @@
+From 0d747f8715f2b9d2acddda8748e0c3f838f197de Mon Sep 17 00:00:00 2001
+From: Luca Bruno <lucab at debian.org>
+Date: Sat, 11 Feb 2012 15:23:14 +0100
+Subject: [PATCH] Restrict third-party access to cookie jar (CVE-2012-0843)
+
+Make sure new cookie jar is created with no permission for "others",
+and remove excessive rights on existing jar if any.
+This fixes CVE-2012-0843 and uzbl bug #291.
+
+Signed-off-by: Luca Bruno <lucab at debian.org>
+---
+ examples/data/plugins/cookies.py |   20 +++++++++++++++++++-
+ 1 files changed, 19 insertions(+), 1 deletions(-)
+
+diff --git a/examples/data/plugins/cookies.py b/examples/data/plugins/cookies.py
+index e29ee36..721feef 100644
+--- a/examples/data/plugins/cookies.py
++++ b/examples/data/plugins/cookies.py
+@@ -2,7 +2,7 @@
+     forwards cookies to all other instances connected to the event manager"""
+ 
+ from collections import defaultdict
+-import os, re
++import os, re, stat
+ 
+ # these are symbolic names for the components of the cookie tuple
+ symbolic = {'domain': 0, 'path':1, 'name':2, 'value':3, 'scheme':4, 'expires':5}
+@@ -32,6 +32,14 @@ class ListStore(list):
+ class TextStore(object):
+     def __init__(self, filename):
+         self.filename = filename
++        try:
++          # make sure existing cookie jar is not world-open
++          perm_mode = os.stat(self.filename).st_mode
++          if (perm_mode & (stat.S_IRWXO | stat.S_IRWXG)) > 0:
++              safe_perm = stat.S_IMODE(perm_mode) & ~(stat.S_IRWXO | stat.S_IRWXG)
++              os.chmod(self.filename, safe_perm)
++        except OSError:
++            pass
+ 
+     def as_event(self, cookie):
+         """Convert cookie.txt row to uzbls cookie event format"""
+@@ -76,16 +84,25 @@ class TextStore(object):
+         # delete equal cookies (ignoring expire time, value and secure flag)
+         self.delete_cookie(None, cookie[:-3])
+ 
++        # restrict umask before creating the cookie jar
++        curmask=os.umask(0)
++        os.umask(curmask| stat.S_IRWXO | stat.S_IRWXG)
++
+         first = not os.path.exists(self.filename)
+         with open(self.filename, 'a') as f:
+             if first:
+                 print >> f, "# HTTP Cookie File"
+             print >> f, '\t'.join(self.as_file(cookie))
++        os.umask(curmask)
+ 
+     def delete_cookie(self, rkey, key):
+         if not os.path.exists(self.filename):
+             return
+ 
++        # restrict umask before creating the cookie jar
++        curmask=os.umask(0)
++        os.umask(curmask | stat.S_IRWXO | stat.S_IRWXG)
++
+         # read all cookies
+         with open(self.filename, 'r') as f:
+             cookies = f.readlines()
+@@ -96,6 +113,7 @@ class TextStore(object):
+                 c = self.as_event(l.split('\t'))
+                 if c is None or not match(key, c):
+                     print >> f, l,
++        os.umask(curmask)
+ 
+ xdg_data_home = os.environ.get('XDG_DATA_HOME', os.path.join(os.environ['HOME'], '.local/share'))
+ DefaultStore = TextStore(os.path.join(xdg_data_home, 'uzbl/cookies.txt'))
+-- 
+1.7.9.1
+
diff --git a/uzbl.spec b/uzbl.spec
index 95497f2..f10f0c2 100644
--- a/uzbl.spec
+++ b/uzbl.spec
@@ -5,7 +5,7 @@ Name:		uzbl
 Summary:	Lightweight WebKit browser following the UNIX philosophy
 Group:		Applications/Internet
 Version:	0
-Release:	0.27.20111001git%{uzblcommit}%{?dist}
+Release:	0.28.20111001git%{uzblcommit}%{?dist}
 License:	GPLv3
 URL:		http://www.uzbl.org
 # The source for this package was pulled from upstream's vcs.  Use the
@@ -26,6 +26,8 @@ Patch2:		0001-javascriptcoregtk-3.0-is-required-for-webkitgtk3.patch
 Patch3:		0002-Check-if-glib-needs-g_thread_init.patch
 # Submitted at https://github.com/Dieterbe/uzbl/pull/72
 Patch4:		0001-Get-the-click-context-all-the-time.patch
+# From upstream
+Patch5:		0001-Restrict-third-party-access-to-cookie-jar-CVE-2012-0.patch
 
 %if %{use_webkitgtk3}
 BuildRequires:	webkitgtk3-devel
@@ -112,6 +114,7 @@ Highlighting files for uzbl's configuration.
 %patch2 -p1 -b .jscore
 %patch3 -p1 -b .gthread_init
 %patch4 -p1 -b .context
+%patch5 -p1 -b .cookie-perms
 
 mkdir -p icons/hicolor/32x32/apps
 mv examples/data/uzbl.png icons/hicolor/32x32/apps
@@ -185,6 +188,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 
 
 %changelog
+* Thu Feb 23 2012 Ben Boeckel <mathstuf at gmail.com> - 0-0.28.20111001git9576f59f05
+- Lock down permissions on cookie files (CVE-2012-0843)
+- Clean up vim subpackage
+
 * Sat Jan 14 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0-0.27.20111001git9576f59f05
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
 
