[websvn] CVE-2013-6892
xavierb
xavierb at fedoraproject.org
Tue Jan 27 21:48:31 UTC 2015
commit 1e0ac3f75837e827185dfd1b430ed0e29a8865ea
Author: Xavier Bachelot <xavier at bachelot.org>
Date: Tue Jan 27 22:48:17 2015 +0100
CVE-2013-6892
websvn-2.3.3-CVE-2013-6892.patch | 31 +++++++++++++++++++++++++++++++
websvn.spec | 7 +++++++
2 files changed, 38 insertions(+), 0 deletions(-)
---
diff --git a/websvn-2.3.3-CVE-2013-6892.patch b/websvn-2.3.3-CVE-2013-6892.patch
new file mode 100644
index 0000000..14e5f5d
--- /dev/null
+++ b/websvn-2.3.3-CVE-2013-6892.patch
@@ -0,0 +1,31 @@
+diff -ur oud/dl.php nieuw/dl.php
+--- oud/dl.php 2015-01-18 16:03:30.688791512 +0100
++++ nieuw/dl.php 2015-01-18 16:27:00.950897749 +0100
+@@ -137,6 +137,18 @@
+ exit(0);
+ }
+
++ // For security reasons, disallow direct downloads of filenames that
++ // are a symlink, since they may be a symlink to anywhere (/etc/passwd)
++ // Deciding whether the symlink is relative and legal within the
++ // repository would be nice but seems to error prone at this moment.
++ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
++ header('HTTP/1.x 500 Internal Server Error', true, 500);
++ error_log('to be downloaded file is symlink, aborting: '.$archiveName);
++ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
++ removeDirectory($tempDir);
++ exit(0);
++ }
++
+ // Set timestamp of exported directory (and subdirectories) to timestamp of
+ // the revision so every archive of a given revision has the same timestamp.
+ $revDate = $logEntry->date;
+@@ -180,7 +192,7 @@
+ $downloadMimeType = 'application/x-zip';
+ $downloadArchive .= '.zip';
+ // Create zip file
+- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
++ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
+ execCommand($cmd, $retcode);
+ if ($retcode != 0) {
+ error_log('Unable to call zip command: '.$cmd);
diff --git a/websvn.spec b/websvn.spec
index 9334d3f..a31e956 100644
--- a/websvn.spec
+++ b/websvn.spec
@@ -9,6 +9,8 @@ URL: http://www.websvn.info
Source0: http://websvn.tigris.org/files/documents/1380/49056/websvn-2.3.3.tar.gz
Source1: websvn-httpd.conf
Patch1: websvn-2.3.3-use_system_libs.patch
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=websvn_symlinks.patch;att=1;bug=775682
+Patch2: websvn-2.3.3-CVE-2013-6892.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -48,6 +50,8 @@ SElinux context for %{name}.
### Let websvn use the system provided php classes and remove bundled ones.
%patch1 -p1
rm -rf lib/
+# CVE-2013-6892
+%patch2 -p1
mv include/distconfig.php include/config.php
find templates/calm -type f -exec chmod -R a-x {} ';'
@@ -122,6 +126,9 @@ fi
%changelog
+* Wed Jan 21 2015 Xavier Bachelot <xavier at bachelot.org> 2.3.3-8
+- Add patch for CVE-2013-6892 (RHBZ#1183632).
+
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.3.3-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
More information about the scm-commits
mailing list