[uzbl/f15] Add patch for cookie file permissions

Ben Boeckel mathstuf at fedoraproject.org
Fri Feb 24 01:48:43 UTC 2012 

commit be9b6cae7cc11555305331e929f112246e6c46b3
Author: Ben Boeckel <mathstuf at gmail.com>
Date:   Thu Feb 23 20:15:56 2012 -0500

    Add patch for cookie file permissions

 ...ird-party-access-to-cookie-jar-CVE-2012-0.patch |   79 ++++++++++++++++++++
 uzbl.spec                                          |   13 +++-
 2 files changed, 90 insertions(+), 2 deletions(-)
---
diff --git a/0001-Restrict-third-party-access-to-cookie-jar-CVE-2012-0.patch b/0001-Restrict-third-party-access-to-cookie-jar-CVE-2012-0.patch
new file mode 100644
index 0000000..e0c7363
--- /dev/null
+++ b/0001-Restrict-third-party-access-to-cookie-jar-CVE-2012-0.patch
@@ -0,0 +1,79 @@
+From 0d747f8715f2b9d2acddda8748e0c3f838f197de Mon Sep 17 00:00:00 2001
+From: Luca Bruno <lucab at debian.org>
+Date: Sat, 11 Feb 2012 15:23:14 +0100
+Subject: [PATCH] Restrict third-party access to cookie jar (CVE-2012-0843)
+
+Make sure new cookie jar is created with no permission for "others",
+and remove excessive rights on existing jar if any.
+This fixes CVE-2012-0843 and uzbl bug #291.
+
+Signed-off-by: Luca Bruno <lucab at debian.org>
+---
+ examples/data/plugins/cookies.py |   20 +++++++++++++++++++-
+ 1 files changed, 19 insertions(+), 1 deletions(-)
+
+diff --git a/examples/data/plugins/cookies.py b/examples/data/plugins/cookies.py
+index e29ee36..721feef 100644
+--- a/examples/data/plugins/cookies.py
++++ b/examples/data/plugins/cookies.py
+@@ -2,7 +2,7 @@
+     forwards cookies to all other instances connected to the event manager"""
+ 
+ from collections import defaultdict
+-import os, re
++import os, re, stat
+ 
+ # these are symbolic names for the components of the cookie tuple
+ symbolic = {'domain': 0, 'path':1, 'name':2, 'value':3, 'scheme':4, 'expires':5}
+@@ -32,6 +32,14 @@ class ListStore(list):
+ class TextStore(object):
+     def __init__(self, filename):
+         self.filename = filename
++        try:
++          # make sure existing cookie jar is not world-open
++          perm_mode = os.stat(self.filename).st_mode
++          if (perm_mode & (stat.S_IRWXO | stat.S_IRWXG)) > 0:
++              safe_perm = stat.S_IMODE(perm_mode) & ~(stat.S_IRWXO | stat.S_IRWXG)
++              os.chmod(self.filename, safe_perm)
++        except OSError:
++            pass
+ 
+     def as_event(self, cookie):
+         """Convert cookie.txt row to uzbls cookie event format"""
+@@ -76,16 +84,25 @@ class TextStore(object):
+         # delete equal cookies (ignoring expire time, value and secure flag)
+         self.delete_cookie(None, cookie[:-3])
+ 
++        # restrict umask before creating the cookie jar
++        curmask=os.umask(0)
++        os.umask(curmask| stat.S_IRWXO | stat.S_IRWXG)
++
+         first = not os.path.exists(self.filename)
+         with open(self.filename, 'a') as f:
+             if first:
+                 print >> f, "# HTTP Cookie File"
+             print >> f, '\t'.join(self.as_file(cookie))
++        os.umask(curmask)
+ 
+     def delete_cookie(self, rkey, key):
+         if not os.path.exists(self.filename):
+             return
+ 
++        # restrict umask before creating the cookie jar
++        curmask=os.umask(0)
++        os.umask(curmask | stat.S_IRWXO | stat.S_IRWXG)
++
+         # read all cookies
+         with open(self.filename, 'r') as f:
+             cookies = f.readlines()
+@@ -96,6 +113,7 @@ class TextStore(object):
+                 c = self.as_event(l.split('\t'))
+                 if c is None or not match(key, c):
+                     print >> f, l,
++        os.umask(curmask)
+ 
+ xdg_data_home = os.environ.get('XDG_DATA_HOME', os.path.join(os.environ['HOME'], '.local/share'))
+ DefaultStore = TextStore(os.path.join(xdg_data_home, 'uzbl/cookies.txt'))
+-- 
+1.7.9.1
+
diff --git a/uzbl.spec b/uzbl.spec
index ab53ec2..33b6a3e 100644
--- a/uzbl.spec
+++ b/uzbl.spec
@@ -16,8 +16,12 @@ URL:		http://www.uzbl.org
 #      gzip -c > ../uzbl-${uzblcommit}.tar.gz
 Source0:	%{name}-%{uzblcommit}.tar.gz
 Source1:	%{name}.desktop
+# RPM handles docs for us, won't be upstreamed
 Patch0:		%{name}-makefile.patch
+# Fedora-specific, won't be upstreamed
 Patch1:		0001-Fedora-specific-error-messages-on-no-configs.patch
+# From upstream
+Patch5:		0001-Restrict-third-party-access-to-cookie-jar-CVE-2012-0.patch
 
 BuildRequires:	webkitgtk-devel
 BuildRequires:	desktop-file-utils
@@ -95,8 +99,9 @@ Highlighting files for uzbl's configuration.
 
 %prep
 %setup -q -n %{name}-%{uzblcommit}
-%patch0 -p1
-%patch1 -p1
+%patch0 -p1 -b .makefile
+%patch1 -p1 -b .fedora
+%patch5 -p1 -b .cookie-perms
 
 mkdir -p icons/hicolor/32x32/apps
 mv examples/data/uzbl.png icons/hicolor/32x32/apps
@@ -170,6 +175,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 
 
 %changelog
+* Thu Feb 23 2012 Ben Boeckel <mathstuf at gmail.com> - 0-0.25.20110402gite7578e27c
+- Lock down permissions on cookie files (CVE-2012-0843)
+- Clean up vim subpackage
+
 * Mon Apr  4 2011 Daiki Ueno <dueno at redhat.com> - 0-0.25.20110402gite7578e27c
 - New upstream snapshot
 - Don't install removed uzbl-cookie-manager and related files.

More information about the scm-commits mailing list