Bug#461069: intend to NMU

[Nico Golde]

Hi Gustavo,
As discussed on jabber, here is the debdiff (also attached 
to this mail)
http://people.debian.org/~nion/nmu-diff/python-cherrypy-2.2.1-3_2.2.1-3.1.patch

I am going to upload this today.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u python-cherrypy-2.2.1/debian/changelog python-cherrypy-2.2.1/debian/changelog
--- python-cherrypy-2.2.1/debian/changelog
+++ python-cherrypy-2.2.1/debian/changelog
@@ -1,3 +1,15 @@
+python-cherrypy (2.2.1-3.1) unstable; urgency=high
+
+  * Non-maintainer upload by security team.
+  * This update addresses the following security issue:
+    - Directory traversal vulnerability in the _get_file_path function
+      in filter/sessionfilter.py allows remote attackers to create or
+      delete arbitrary files, and possibly read and write portions of
+      arbitrary files, via a crafted session id in a cookie
+      (CVE-2008-0252; Closes: #461069).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Fri, 18 Jan 2008 16:25:39 +0100
+
 python-cherrypy (2.2.1-3) unstable; urgency=low
 
   * debian/rules, debian/control:
only in patch2:
unchanged:
--- python-cherrypy-2.2.1.orig/debian/pycompat
+++ python-cherrypy-2.2.1/debian/pycompat
@@ -0,0 +1 @@
+2
only in patch2:
unchanged:
--- python-cherrypy-2.2.1.orig/debian/patches/CVE-2008-0252.diff
+++ python-cherrypy-2.2.1/debian/patches/CVE-2008-0252.diff
@@ -0,0 +1,12 @@
+diff -Nurad python-cherrypy-2.2.1~/cherrypy/filters/sessionfilter.py python-cherrypy-2.2.1/cherrypy/filters/sessionfilter.py
+--- python-cherrypy-2.2.1~/cherrypy/filters/sessionfilter.py	2008-01-18 16:21:27.000000000 +0100
++++ python-cherrypy-2.2.1/cherrypy/filters/sessionfilter.py	2008-01-18 16:23:36.000000000 +0100
+@@ -326,6 +326,8 @@
+             raise SessionStoragePathNotConfiguredError()
+         fileName = self.SESSION_PREFIX + id
+         file_path = os.path.join(storage_path, fileName)
++        if not os.path.normpath(file_path).startswith(storage_path):
++            raise cherrypy.HTTPError(400, "Invalid session id in cookie.")
+         return file_path
+     
+     def _lock_file(self, path):

pgpHik5zbR2kH.pgp
Description: PGP signature