Hi, I've successfully reproduced this bug in a Lenny environment, and have prepared NMUs for unstable and lenny-security. The NMUs also include the debconf translation template from #508488.
Cheers,
Emilio
websvn (2.0-4+lenny1) stable-security; urgency=high
* Non-maintainer upload.
* debian/patches/12_security_known_path_cve_2009_0240.patch:
- Backports upstream changes from subversion r635, r636 and r649 to
fix a security hole where authenticated users can access files
with known paths. Closes: #512191.
- Urgency high for the security fix.
- References: CVE-2009-0240
* debian/po/es.po:
- Added Spanish debconf translation, thanks Francisco Javier Cuadrado.
Closes: #508488.
-- Emilio Pozuelo Monfort <po...@ubuntu.com> Sat, 14 Feb 2009 16:30:02 +0100
debian/patches/12_security_known_path_cve_2009_0240.patch | 179 ++++++++++++++
debian/po/es.po | 137 ++++++++++
websvn-2.0/debian/changelog | 15 +
websvn-2.0/debian/patches/series | 1
emi...@saturno:~/tmp/websvn/websvn-2.0$ head -12
debian/patches/12_security_known_path_cve_2009_0240.patch
Backport changes from upstream svn to fix known paths security bypass
http://security-tracker.debian.net/tracker/CVE-2009-0240
r635 | spetters | 2008-03-08 10:19:17 +0100 (sáb 08 de mar de 2008) | 1 line
fixed authentication check for subfolders, patch by Dirk Thomas
r636 | spetters | 2008-09-25 19:24:57 +0200 (jue 25 de sep de 2008) | 1 line
fixed access control with calm theme
r649 | dirkthomas | 2008-11-03 13:29:29 +0100 (lun 03 de nov de 2008) | 1 line
restrict visible entries and log messages based on auth
diff -u websvn-2.0/debian/changelog websvn-2.0/debian/changelog --- websvn-2.0/debian/changelog +++ websvn-2.0/debian/changelog @@ -1,3 +1,18 @@ +websvn (2.0-4+lenny1) stable-security; urgency=high + + * Non-maintainer upload. + * debian/patches/12_security_known_path_cve_2009_0240.patch: + - Backports upstream changes from subversion r635, r636 and r649 to + fix a security hole where authenticated users can access files + with known paths. Closes: #512191. + - Urgency high for the security fix. + - References: CVE-2009-0240 + * debian/po/es.po: + - Added Spanish debconf translation, thanks Francisco Javier Cuadrado. + Closes: #508488. + + -- Emilio Pozuelo Monfort <po...@ubuntu.com> Sat, 14 Feb 2009 16:30:02 +0100 + websvn (2.0-4) unstable; urgency=high * Security: fix potential Cross Site Scripting and Directory diff -u websvn-2.0/debian/patches/series websvn-2.0/debian/patches/series --- websvn-2.0/debian/patches/series +++ websvn-2.0/debian/patches/series @@ -2,0 +3 @@ +12_security_known_path_cve_2009_0240.patch only in patch2: unchanged: --- websvn-2.0.orig/debian/po/es.po +++ websvn-2.0/debian/po/es.po @@ -0,0 +1,137 @@ +# websvn po-debconf translation to Spanish +# Copyright (C) 2008 Software in the Public Interest +# This file is distributed under the same license as the websvn package. +# +# Changes: +# - Initial translation +# Francisco Javier Cuadrado <fcocuadr...@gmail.com>, 2008 +# +# Traductores, si no conoce el formato PO, merece la pena leer la +# documentación de gettext, especialmente las secciones dedicadas a este +# formato, por ejemplo ejecutando: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Equipo de traducción al español, por favor, lean antes de traducir +# los siguientes documentos: +# +# - El proyecto de traducción de Debian al español +# http://www.debian.org/intl/spanish/ +# especialmente las notas de traducción en +# http://www.debian.org/intl/spanish/notas +# +# - La guÃa de traducción de po's de debconf: +# /usr/share/doc/po-debconf/README-trans +# o http://www.debian.org/intl/l10n/po-debconf/README-trans +# +msgid "" +msgstr "" +"Project-Id-Version: websvn 2.0-4\n" +"Report-Msgid-Bugs-To: chiffl...@cpe.fr\n" +"POT-Creation-Date: 2006-11-14 09:46+0100\n" +"PO-Revision-Date: \n" +"Last-Translator: Francisco Javier Cuadrado <fcocuadr...@gmail.com>\n" +"Language-Team: Debian l10n spanish <debian-l10n-span...@lists.debian.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid "Do you want to configure WebSVN now?" +msgstr "¿Desea configurar WebSVN ahora?" + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid "WebSVN needs to be configured before its use, ie you must set the locations of the repositories." +msgstr "WebSVN necesita configurarse antes de usarlo, por ejemplo: debe configurar las ubicaciones de los repositorios." + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid "If you want to configure it later, you should run 'dpkg-reconfigure websvn'." +msgstr "Si quiere configurarlo después, deberÃa ejecutar «dpkg-reconfigure websvn»." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "svn parent repositories:" +msgstr "Repositorios padres de svn:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "If you have directories containing svn repositories, enter the location of each parent directory you want to appear on websvn page." +msgstr "Si tiene directorios que contienen repositorios svn, introduzca la ubicación de cada directorio padre si quiere que aparezcan en la página de websvn." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "You must specify at least one existing subversion repository or WebSVN will not work. You can specify single repositories on the next step of the config." +msgstr "Debe especificar al menos un repositorio existente de subversion o WebSVN no funcionará. Puede especificar repositorios únicos en el siguiente paso de la configuración." + +#. Type: string +#. Description +#. Type: string +#. Description +#: ../templates:2001 +#: ../templates:3001 +msgid "Separate each entry with a comma (,) but NO SPACE or leave empty." +msgstr "Separe cada entrada con una coma (,) pero NO USE ESPACIOS o déjelo vacÃo." + +#. Type: string +#. Description +#: ../templates:3001 +msgid "svn repositories:" +msgstr "Repositorios de svn:" + +#. Type: string +#. Description +#: ../templates:3001 +msgid "Enter the location of each svn repository you want to appear on websvn page." +msgstr "Introduzca la ubicación de cada repositorio de svn que quiere que aparezca en la página de websvn." + +#. Type: string +#. Description +#: ../templates:3001 +msgid "You must specify at least one existing subversion repository or WebSVN will not work, except if you have given a parent path previously." +msgstr "Debe especificar al menos un repositorio existente de subversion o WebSVN no funcionará, excepto si ha elegido previamente una ruta de un padre." + +#. Type: multiselect +#. Choices +#: ../templates:4001 +msgid "apache, apache-ssl, apache-perl, apache2" +msgstr "apache, apache-ssl, apache-perl, apache2" + +#. Type: multiselect +#. Description +#: ../templates:4002 +msgid "Apache configuration:" +msgstr "Configuración de Apache:" + +#. Type: multiselect +#. Description +#: ../templates:4002 +msgid "WebSVN supports any web server that php4 does, but this automatic configuration process only supports Apache." +msgstr "WebSVN es compatible con cualquier servidor web que permita usar php4, pero este proceso de configuración sólo es compatible con Apache." + +#. Type: note +#. Description +#: ../templates:5001 +msgid "Note on permissions" +msgstr "Atento a los permisos" + +#. Type: note +#. Description +#: ../templates:5001 +msgid "Due to a limitation in the DB format, the 'svnlook' command needs read-write access to the repository (to create locks etc). You need to give read-write permissions to the user running your webserver on all your repositories." +msgstr "Debido a una limitación del formato de la base de datos, la orden «svnlook» necesita acceso de lectura y escritura al repositorio (para crear cerrojos, etc). Necesita asignar los permisos de lectura y escritura al usuario que ejecute su servidor web sobre todos sus repositorios." + +#. Type: note +#. Description +#: ../templates:5001 +msgid "Another way of avoiding this problem is by creating SVN repositories with the --fs-type=fsfs option. Existing DB repositories can be converted to the FSFS format by using the svnadmin dump/load commands." +msgstr "Otra manera de evitar este problema es creando los repositorios de SVN con la opción «--fs-type=fsfs». La base de datos existente de los repositorios se puede convertir al formato FSFS usando las órdenes «svnadmin dump» o «svnadmin load»." + only in patch2: unchanged: --- websvn-2.0.orig/debian/patches/12_security_known_path_cve_2009_0240.patch +++ websvn-2.0/debian/patches/12_security_known_path_cve_2009_0240.patch @@ -0,0 +1,179 @@ +Backport changes from upstream svn to fix known paths security bypass +http://security-tracker.debian.net/tracker/CVE-2009-0240 + +r635 | spetters | 2008-03-08 10:19:17 +0100 (sáb 08 de mar de 2008) | 1 line +fixed authentication check for subfolders, patch by Dirk Thomas + +r636 | spetters | 2008-09-25 19:24:57 +0200 (jue 25 de sep de 2008) | 1 line +fixed access control with calm theme + +r649 | dirkthomas | 2008-11-03 13:29:29 +0100 (lun 03 de nov de 2008) | 1 line +restrict visible entries and log messages based on auth + +diff -ruNp websvn-2.0/include/auth.php websvn-2.0.foo/include/auth.php +--- websvn-2.0/include/auth.php 2007-06-05 16:05:34.000000000 +0200 ++++ websvn-2.0.foo/include/auth.php 2009-02-14 15:54:03.000000000 +0100 +@@ -144,7 +144,7 @@ class Authentication + { + $qualified = $repos.":".$path; + $len = strlen($qualified); +- if ($len <= strlen($section) && strncmp($section, $qualified, $len) == 0) ++ if ($len < strlen($section) && strncmp($section, $qualified, $len) == 0) + { + $access = $this->inList($accessers, $this->user); + } +@@ -152,7 +152,7 @@ class Authentication + if ($access != ALLOW) + { + $len = strlen($path); +- if ($len <= strlen($section) && strncmp($section, $path, $len) == 0) ++ if ($len < strlen($section) && strncmp($section, $path, $len) == 0) + { + $access = $this->inList($accessers, $this->user); + } +diff -ruNp websvn-2.0/include/svnlook.php websvn-2.0.foo/include/svnlook.php +--- websvn-2.0/include/svnlook.php 2007-08-13 10:38:26.000000000 +0200 ++++ websvn-2.0.foo/include/svnlook.php 2009-02-14 16:00:04.000000000 +0100 +@@ -771,6 +771,33 @@ Class SVNRepository + } + + xml_parser_free($xml_parser); ++ ++ foreach ($curLog->entries as $entryKey => $entry) { ++ $fullModAccess = true; ++ $anyModAccess = (count($entry->mods) == 0); ++ foreach ($entry->mods as $modKey => $mod) { ++ $access = $this->repConfig->hasReadAccess($mod->path); ++ if ($access) { ++ $anyModAccess = true; ++ } else { ++ // hide modified entry when access is prohibited ++ unset($curLog->entries[$entryKey]->mods[$modKey]); ++ $fullModAccess = false; ++ } ++ } ++ if (!$fullModAccess) { ++ // hide commit message when access to any of the entries is prohibited ++ $curLog->entries[$entryKey]->msg = ''; ++ } ++ if (!$anyModAccess) { ++ // hide author and date when access to all of the entries is prohibited ++ $curLog->entries[$entryKey]->author = ''; ++ $curLog->entries[$entryKey]->date = ''; ++ $curLog->entries[$entryKey]->committime = ''; ++ $curLog->entries[$entryKey]->age = ''; ++ } ++ } ++ + return $curLog; + } + +diff -ruNp websvn-2.0/templates/calm/blame.tmpl websvn-2.0.foo/templates/calm/blame.tmpl +--- websvn-2.0/templates/calm/blame.tmpl 2007-06-08 09:02:32.000000000 +0200 ++++ websvn-2.0.foo/templates/calm/blame.tmpl 2009-02-14 16:01:06.000000000 +0100 +@@ -1,5 +1,9 @@ + <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div> + <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1> ++ ++[websvn-test:noaccess] ++ [lang:NOACCESS] ++[websvn-else] + <div style="margin:0 2% 0 2%"> + <h2 class="path">[websvn:curdirlinks] - [lang:BLAMEFOR] [websvn:rev]</h2> + <p> +@@ -31,3 +35,4 @@ + </tbody> + </table> + </div> ++[websvn-endtest] +diff -ruNp websvn-2.0/templates/calm/compare.tmpl websvn-2.0.foo/templates/calm/compare.tmpl +--- websvn-2.0/templates/calm/compare.tmpl 2007-08-08 14:25:48.000000000 +0200 ++++ websvn-2.0.foo/templates/calm/compare.tmpl 2009-02-14 16:01:06.000000000 +0100 +@@ -1,5 +1,9 @@ + <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div> + <h1><a href="[websvn:indexurl]" title="[lang:PROJECTS]">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1> ++ ++[websvn-test:noaccess] ++ [lang:NOACCESS] ++[websvn-else] + <div id="info"> + <h2>Compare Revisions</h2> + <ul><li><dl><dt><strong>[lang:CONVFROM]</strong></dt><dd class="curdir"><pre title="[websvn:path1]">[websvn:path1]</pre></dd><dd>from [lang:REV] [websvn:rev1] to [lang:REV] [websvn:rev2]</dd><dd>↔ [websvn:revlink]</dd></dl></li> +@@ -60,3 +64,4 @@ + [websvn-endtest] + + [websvn-endlisting] ++[websvn-endtest] +diff -ruNp websvn-2.0/templates/calm/diff.tmpl websvn-2.0.foo/templates/calm/diff.tmpl +--- websvn-2.0/templates/calm/diff.tmpl 2007-06-11 09:37:17.000000000 +0200 ++++ websvn-2.0.foo/templates/calm/diff.tmpl 2009-02-14 16:01:06.000000000 +0100 +@@ -1,5 +1,9 @@ + <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div> + <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1> ++ ++[websvn-test:noaccess] ++ [lang:NOACCESS] ++[websvn-else] + <div style="margin:0 2% 0 2%"> + <h2 class="path">[websvn:curdirlinks] - [lang:DIFFREVS] [websvn:rev2] [lang:AND] [websvn:rev1]</h2> + +@@ -48,3 +52,4 @@ + </table> + [websvn-endtest] + </div> ++[websvn-endtest] +diff -ruNp websvn-2.0/templates/calm/directory.tmpl websvn-2.0.foo/templates/calm/directory.tmpl +--- websvn-2.0/templates/calm/directory.tmpl 2007-06-13 08:09:55.000000000 +0200 ++++ websvn-2.0.foo/templates/calm/directory.tmpl 2009-02-14 16:01:06.000000000 +0100 +@@ -1,6 +1,9 @@ + <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div> + <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1> + ++[websvn-test:noaccess] ++ [lang:NOACCESS] ++[websvn-else] + <h2 class="path" style="margin:0 2% 15px 2%;">[websvn:curdirlinks] - [lang:REV] [websvn:rev]</h2> + <p> + [websvn-test:goyoungestlink] +@@ -130,3 +133,4 @@ e-node=<img src="[websvn:locwebsvnhttp]/ + </p> + [websvn:compare_endform] + </div> ++[websvn-endtest] +diff -ruNp websvn-2.0/templates/calm/file.tmpl websvn-2.0.foo/templates/calm/file.tmpl +--- websvn-2.0/templates/calm/file.tmpl 2007-06-08 09:02:32.000000000 +0200 ++++ websvn-2.0.foo/templates/calm/file.tmpl 2009-02-14 16:01:06.000000000 +0100 +@@ -1,5 +1,9 @@ + <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div> + <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1> ++ ++[websvn-test:noaccess] ++ [lang:NOACCESS] ++[websvn-else] + <h2 class="path" style="margin:0 2% 15px 2%;">[websvn:curdirlinks] - [lang:REV] [websvn:rev]</h2> + <p> + [websvn-test:goyoungestlink] +@@ -19,3 +23,4 @@ + <span class="diff">[websvn:prevdifflink]</span> | + <span class="diff">[websvn:blamelink]</span> + </p> ++[websvn-endtest] +diff -ruNp websvn-2.0/templates/calm/log.tmpl websvn-2.0.foo/templates/calm/log.tmpl +--- websvn-2.0/templates/calm/log.tmpl 2007-06-13 08:09:55.000000000 +0200 ++++ websvn-2.0.foo/templates/calm/log.tmpl 2009-02-14 16:01:06.000000000 +0100 +@@ -15,6 +15,9 @@ + [websvn-endtest] + </p> + ++[websvn-test:noaccess] ++ [lang:NOACCESS] ++[websvn-else] + <div id="info"> + <h2>[lang:FILTER]</h2> + +@@ -89,4 +92,5 @@ + <p>[websvn:pagelinks]</p> + <p>[websvn:showalllink]</p> + ++[websvn-endtest] + </div>
diff -u websvn-2.0/debian/changelog websvn-2.0/debian/changelog --- websvn-2.0/debian/changelog +++ websvn-2.0/debian/changelog @@ -1,3 +1,18 @@ +websvn (2.0-4+nmu1) unstable; urgency=high + + * Non-maintainer upload. + * debian/patches/12_security_known_path_cve_2009_0240.patch: + - Backports upstream changes from subversion r635, r636 and r649 to + fix a security hole where authenticated users can access files + with known paths. Closes: #512191. + - Urgency high for the security fix. + - References: CVE-2009-0240 + * debian/po/es.po: + - Added Spanish debconf translation, thanks Francisco Javier Cuadrado. + Closes: #508488. + + -- Emilio Pozuelo Monfort <po...@ubuntu.com> Sat, 14 Feb 2009 16:30:02 +0100 + websvn (2.0-4) unstable; urgency=high * Security: fix potential Cross Site Scripting and Directory diff -u websvn-2.0/debian/patches/series websvn-2.0/debian/patches/series --- websvn-2.0/debian/patches/series +++ websvn-2.0/debian/patches/series @@ -2,0 +3 @@ +12_security_known_path_cve_2009_0240.patch only in patch2: unchanged: --- websvn-2.0.orig/debian/po/es.po +++ websvn-2.0/debian/po/es.po @@ -0,0 +1,137 @@ +# websvn po-debconf translation to Spanish +# Copyright (C) 2008 Software in the Public Interest +# This file is distributed under the same license as the websvn package. +# +# Changes: +# - Initial translation +# Francisco Javier Cuadrado <fcocuadr...@gmail.com>, 2008 +# +# Traductores, si no conoce el formato PO, merece la pena leer la +# documentación de gettext, especialmente las secciones dedicadas a este +# formato, por ejemplo ejecutando: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Equipo de traducción al español, por favor, lean antes de traducir +# los siguientes documentos: +# +# - El proyecto de traducción de Debian al español +# http://www.debian.org/intl/spanish/ +# especialmente las notas de traducción en +# http://www.debian.org/intl/spanish/notas +# +# - La guÃa de traducción de po's de debconf: +# /usr/share/doc/po-debconf/README-trans +# o http://www.debian.org/intl/l10n/po-debconf/README-trans +# +msgid "" +msgstr "" +"Project-Id-Version: websvn 2.0-4\n" +"Report-Msgid-Bugs-To: chiffl...@cpe.fr\n" +"POT-Creation-Date: 2006-11-14 09:46+0100\n" +"PO-Revision-Date: \n" +"Last-Translator: Francisco Javier Cuadrado <fcocuadr...@gmail.com>\n" +"Language-Team: Debian l10n spanish <debian-l10n-span...@lists.debian.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid "Do you want to configure WebSVN now?" +msgstr "¿Desea configurar WebSVN ahora?" + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid "WebSVN needs to be configured before its use, ie you must set the locations of the repositories." +msgstr "WebSVN necesita configurarse antes de usarlo, por ejemplo: debe configurar las ubicaciones de los repositorios." + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid "If you want to configure it later, you should run 'dpkg-reconfigure websvn'." +msgstr "Si quiere configurarlo después, deberÃa ejecutar «dpkg-reconfigure websvn»." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "svn parent repositories:" +msgstr "Repositorios padres de svn:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "If you have directories containing svn repositories, enter the location of each parent directory you want to appear on websvn page." +msgstr "Si tiene directorios que contienen repositorios svn, introduzca la ubicación de cada directorio padre si quiere que aparezcan en la página de websvn." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "You must specify at least one existing subversion repository or WebSVN will not work. You can specify single repositories on the next step of the config." +msgstr "Debe especificar al menos un repositorio existente de subversion o WebSVN no funcionará. Puede especificar repositorios únicos en el siguiente paso de la configuración." + +#. Type: string +#. Description +#. Type: string +#. Description +#: ../templates:2001 +#: ../templates:3001 +msgid "Separate each entry with a comma (,) but NO SPACE or leave empty." +msgstr "Separe cada entrada con una coma (,) pero NO USE ESPACIOS o déjelo vacÃo." + +#. Type: string +#. Description +#: ../templates:3001 +msgid "svn repositories:" +msgstr "Repositorios de svn:" + +#. Type: string +#. Description +#: ../templates:3001 +msgid "Enter the location of each svn repository you want to appear on websvn page." +msgstr "Introduzca la ubicación de cada repositorio de svn que quiere que aparezca en la página de websvn." + +#. Type: string +#. Description +#: ../templates:3001 +msgid "You must specify at least one existing subversion repository or WebSVN will not work, except if you have given a parent path previously." +msgstr "Debe especificar al menos un repositorio existente de subversion o WebSVN no funcionará, excepto si ha elegido previamente una ruta de un padre." + +#. Type: multiselect +#. Choices +#: ../templates:4001 +msgid "apache, apache-ssl, apache-perl, apache2" +msgstr "apache, apache-ssl, apache-perl, apache2" + +#. Type: multiselect +#. Description +#: ../templates:4002 +msgid "Apache configuration:" +msgstr "Configuración de Apache:" + +#. Type: multiselect +#. Description +#: ../templates:4002 +msgid "WebSVN supports any web server that php4 does, but this automatic configuration process only supports Apache." +msgstr "WebSVN es compatible con cualquier servidor web que permita usar php4, pero este proceso de configuración sólo es compatible con Apache." + +#. Type: note +#. Description +#: ../templates:5001 +msgid "Note on permissions" +msgstr "Atento a los permisos" + +#. Type: note +#. Description +#: ../templates:5001 +msgid "Due to a limitation in the DB format, the 'svnlook' command needs read-write access to the repository (to create locks etc). You need to give read-write permissions to the user running your webserver on all your repositories." +msgstr "Debido a una limitación del formato de la base de datos, la orden «svnlook» necesita acceso de lectura y escritura al repositorio (para crear cerrojos, etc). Necesita asignar los permisos de lectura y escritura al usuario que ejecute su servidor web sobre todos sus repositorios." + +#. Type: note +#. Description +#: ../templates:5001 +msgid "Another way of avoiding this problem is by creating SVN repositories with the --fs-type=fsfs option. Existing DB repositories can be converted to the FSFS format by using the svnadmin dump/load commands." +msgstr "Otra manera de evitar este problema es creando los repositorios de SVN con la opción «--fs-type=fsfs». La base de datos existente de los repositorios se puede convertir al formato FSFS usando las órdenes «svnadmin dump» o «svnadmin load»." + only in patch2: unchanged: --- websvn-2.0.orig/debian/patches/12_security_known_path_cve_2009_0240.patch +++ websvn-2.0/debian/patches/12_security_known_path_cve_2009_0240.patch @@ -0,0 +1,179 @@ +Backport changes from upstream svn to fix known paths security bypass +http://security-tracker.debian.net/tracker/CVE-2009-0240 + +r635 | spetters | 2008-03-08 10:19:17 +0100 (sáb 08 de mar de 2008) | 1 line +fixed authentication check for subfolders, patch by Dirk Thomas + +r636 | spetters | 2008-09-25 19:24:57 +0200 (jue 25 de sep de 2008) | 1 line +fixed access control with calm theme + +r649 | dirkthomas | 2008-11-03 13:29:29 +0100 (lun 03 de nov de 2008) | 1 line +restrict visible entries and log messages based on auth + +diff -ruNp websvn-2.0/include/auth.php websvn-2.0.foo/include/auth.php +--- websvn-2.0/include/auth.php 2007-06-05 16:05:34.000000000 +0200 ++++ websvn-2.0.foo/include/auth.php 2009-02-14 15:54:03.000000000 +0100 +@@ -144,7 +144,7 @@ class Authentication + { + $qualified = $repos.":".$path; + $len = strlen($qualified); +- if ($len <= strlen($section) && strncmp($section, $qualified, $len) == 0) ++ if ($len < strlen($section) && strncmp($section, $qualified, $len) == 0) + { + $access = $this->inList($accessers, $this->user); + } +@@ -152,7 +152,7 @@ class Authentication + if ($access != ALLOW) + { + $len = strlen($path); +- if ($len <= strlen($section) && strncmp($section, $path, $len) == 0) ++ if ($len < strlen($section) && strncmp($section, $path, $len) == 0) + { + $access = $this->inList($accessers, $this->user); + } +diff -ruNp websvn-2.0/include/svnlook.php websvn-2.0.foo/include/svnlook.php +--- websvn-2.0/include/svnlook.php 2007-08-13 10:38:26.000000000 +0200 ++++ websvn-2.0.foo/include/svnlook.php 2009-02-14 16:00:04.000000000 +0100 +@@ -771,6 +771,33 @@ Class SVNRepository + } + + xml_parser_free($xml_parser); ++ ++ foreach ($curLog->entries as $entryKey => $entry) { ++ $fullModAccess = true; ++ $anyModAccess = (count($entry->mods) == 0); ++ foreach ($entry->mods as $modKey => $mod) { ++ $access = $this->repConfig->hasReadAccess($mod->path); ++ if ($access) { ++ $anyModAccess = true; ++ } else { ++ // hide modified entry when access is prohibited ++ unset($curLog->entries[$entryKey]->mods[$modKey]); ++ $fullModAccess = false; ++ } ++ } ++ if (!$fullModAccess) { ++ // hide commit message when access to any of the entries is prohibited ++ $curLog->entries[$entryKey]->msg = ''; ++ } ++ if (!$anyModAccess) { ++ // hide author and date when access to all of the entries is prohibited ++ $curLog->entries[$entryKey]->author = ''; ++ $curLog->entries[$entryKey]->date = ''; ++ $curLog->entries[$entryKey]->committime = ''; ++ $curLog->entries[$entryKey]->age = ''; ++ } ++ } ++ + return $curLog; + } + +diff -ruNp websvn-2.0/templates/calm/blame.tmpl websvn-2.0.foo/templates/calm/blame.tmpl +--- websvn-2.0/templates/calm/blame.tmpl 2007-06-08 09:02:32.000000000 +0200 ++++ websvn-2.0.foo/templates/calm/blame.tmpl 2009-02-14 16:01:06.000000000 +0100 +@@ -1,5 +1,9 @@ + <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div> + <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1> ++ ++[websvn-test:noaccess] ++ [lang:NOACCESS] ++[websvn-else] + <div style="margin:0 2% 0 2%"> + <h2 class="path">[websvn:curdirlinks] - [lang:BLAMEFOR] [websvn:rev]</h2> + <p> +@@ -31,3 +35,4 @@ + </tbody> + </table> + </div> ++[websvn-endtest] +diff -ruNp websvn-2.0/templates/calm/compare.tmpl websvn-2.0.foo/templates/calm/compare.tmpl +--- websvn-2.0/templates/calm/compare.tmpl 2007-08-08 14:25:48.000000000 +0200 ++++ websvn-2.0.foo/templates/calm/compare.tmpl 2009-02-14 16:01:06.000000000 +0100 +@@ -1,5 +1,9 @@ + <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div> + <h1><a href="[websvn:indexurl]" title="[lang:PROJECTS]">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1> ++ ++[websvn-test:noaccess] ++ [lang:NOACCESS] ++[websvn-else] + <div id="info"> + <h2>Compare Revisions</h2> + <ul><li><dl><dt><strong>[lang:CONVFROM]</strong></dt><dd class="curdir"><pre title="[websvn:path1]">[websvn:path1]</pre></dd><dd>from [lang:REV] [websvn:rev1] to [lang:REV] [websvn:rev2]</dd><dd>↔ [websvn:revlink]</dd></dl></li> +@@ -60,3 +64,4 @@ + [websvn-endtest] + + [websvn-endlisting] ++[websvn-endtest] +diff -ruNp websvn-2.0/templates/calm/diff.tmpl websvn-2.0.foo/templates/calm/diff.tmpl +--- websvn-2.0/templates/calm/diff.tmpl 2007-06-11 09:37:17.000000000 +0200 ++++ websvn-2.0.foo/templates/calm/diff.tmpl 2009-02-14 16:01:06.000000000 +0100 +@@ -1,5 +1,9 @@ + <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div> + <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1> ++ ++[websvn-test:noaccess] ++ [lang:NOACCESS] ++[websvn-else] + <div style="margin:0 2% 0 2%"> + <h2 class="path">[websvn:curdirlinks] - [lang:DIFFREVS] [websvn:rev2] [lang:AND] [websvn:rev1]</h2> + +@@ -48,3 +52,4 @@ + </table> + [websvn-endtest] + </div> ++[websvn-endtest] +diff -ruNp websvn-2.0/templates/calm/directory.tmpl websvn-2.0.foo/templates/calm/directory.tmpl +--- websvn-2.0/templates/calm/directory.tmpl 2007-06-13 08:09:55.000000000 +0200 ++++ websvn-2.0.foo/templates/calm/directory.tmpl 2009-02-14 16:01:06.000000000 +0100 +@@ -1,6 +1,9 @@ + <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div> + <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1> + ++[websvn-test:noaccess] ++ [lang:NOACCESS] ++[websvn-else] + <h2 class="path" style="margin:0 2% 15px 2%;">[websvn:curdirlinks] - [lang:REV] [websvn:rev]</h2> + <p> + [websvn-test:goyoungestlink] +@@ -130,3 +133,4 @@ e-node=<img src="[websvn:locwebsvnhttp]/ + </p> + [websvn:compare_endform] + </div> ++[websvn-endtest] +diff -ruNp websvn-2.0/templates/calm/file.tmpl websvn-2.0.foo/templates/calm/file.tmpl +--- websvn-2.0/templates/calm/file.tmpl 2007-06-08 09:02:32.000000000 +0200 ++++ websvn-2.0.foo/templates/calm/file.tmpl 2009-02-14 16:01:06.000000000 +0100 +@@ -1,5 +1,9 @@ + <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div> + <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1> ++ ++[websvn-test:noaccess] ++ [lang:NOACCESS] ++[websvn-else] + <h2 class="path" style="margin:0 2% 15px 2%;">[websvn:curdirlinks] - [lang:REV] [websvn:rev]</h2> + <p> + [websvn-test:goyoungestlink] +@@ -19,3 +23,4 @@ + <span class="diff">[websvn:prevdifflink]</span> | + <span class="diff">[websvn:blamelink]</span> + </p> ++[websvn-endtest] +diff -ruNp websvn-2.0/templates/calm/log.tmpl websvn-2.0.foo/templates/calm/log.tmpl +--- websvn-2.0/templates/calm/log.tmpl 2007-06-13 08:09:55.000000000 +0200 ++++ websvn-2.0.foo/templates/calm/log.tmpl 2009-02-14 16:01:06.000000000 +0100 +@@ -15,6 +15,9 @@ + [websvn-endtest] + </p> + ++[websvn-test:noaccess] ++ [lang:NOACCESS] ++[websvn-else] + <div id="info"> + <h2>[lang:FILTER]</h2> + +@@ -89,4 +92,5 @@ + <p>[websvn:pagelinks]</p> + <p>[websvn:showalllink]</p> + ++[websvn-endtest] + </div>
signature.asc
Description: OpenPGP digital signature
