[websvn] CVE-2013-6892

[xavierb]

commit 1e0ac3f75837e827185dfd1b430ed0e29a8865ea
Author: Xavier Bachelot <xavier at bachelot.org>
Date:   Tue Jan 27 22:48:17 2015 +0100

    CVE-2013-6892

 websvn-2.3.3-CVE-2013-6892.patch |   31 +++++++++++++++++++++++++++++++
 websvn.spec                      |    7 +++++++
 2 files changed, 38 insertions(+), 0 deletions(-)
---
diff --git a/websvn-2.3.3-CVE-2013-6892.patch b/websvn-2.3.3-CVE-2013-6892.patch
new file mode 100644
index 0000000..14e5f5d
--- /dev/null
+++ b/websvn-2.3.3-CVE-2013-6892.patch
@@ -0,0 +1,31 @@
+diff -ur oud/dl.php nieuw/dl.php
+--- oud/dl.php	2015-01-18 16:03:30.688791512 +0100
++++ nieuw/dl.php	2015-01-18 16:27:00.950897749 +0100
+@@ -137,6 +137,18 @@
+ 		exit(0);
+ 	}
+ 
++	// For security reasons, disallow direct downloads of filenames that
++	// are a symlink, since they may be a symlink to anywhere (/etc/passwd)
++	// Deciding whether the symlink is relative and legal within the
++	// repository would be nice but seems to error prone at this moment.
++	if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
++		header('HTTP/1.x 500 Internal Server Error', true, 500);
++		error_log('to be downloaded file is symlink, aborting: '.$archiveName);
++		print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
++		removeDirectory($tempDir);
++		exit(0);
++	}
++
+ 	// Set timestamp of exported directory (and subdirectories) to timestamp of
+ 	// the revision so every archive of a given revision has the same timestamp.
+ 	$revDate = $logEntry->date;
+@@ -180,7 +192,7 @@
+ 		$downloadMimeType = 'application/x-zip';
+ 		$downloadArchive .= '.zip';
+ 		// Create zip file
+-		$cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
++		$cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
+ 		execCommand($cmd, $retcode);
+ 		if ($retcode != 0) {
+ 			error_log('Unable to call zip command: '.$cmd);
diff --git a/websvn.spec b/websvn.spec
index 9334d3f..a31e956 100644
--- a/websvn.spec
+++ b/websvn.spec
@@ -9,6 +9,8 @@ URL:            http://www.websvn.info
 Source0:        http://websvn.tigris.org/files/documents/1380/49056/websvn-2.3.3.tar.gz
 Source1:        websvn-httpd.conf
 Patch1:         websvn-2.3.3-use_system_libs.patch
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=websvn_symlinks.patch;att=1;bug=775682
+Patch2:         websvn-2.3.3-CVE-2013-6892.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:      noarch
 
@@ -48,6 +50,8 @@ SElinux context for %{name}.
 ### Let websvn use the system provided php classes and remove bundled ones.
 %patch1 -p1
 rm -rf lib/
+# CVE-2013-6892
+%patch2 -p1
 
 mv include/distconfig.php include/config.php
 find templates/calm -type f -exec chmod -R a-x {} ';'
@@ -122,6 +126,9 @@ fi
 
 
 %changelog
+* Wed Jan 21 2015 Xavier Bachelot <xavier at bachelot.org> 2.3.3-8
+- Add patch for CVE-2013-6892 (RHBZ#1183632).
+
 * Sun Jun 08 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.3.3-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild