Bug#775682: marked as done (websvn: CVE-2013-6892: arbitrary file access when downloads enabled for users with commit access)

[Debian Bug Tracking System]

Your message dated Sat, 24 Jan 2015 13:33:23 +0000
with message-id <e1yf0q3-0002ua...@franck.debian.org>
and subject line Bug#775682: fixed in websvn 2.3.3-1.2
has caused the Debian Bug report #775682,
regarding websvn: CVE-2013-6892: arbitrary file access when downloads enabled 
for users with commit access
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
775682: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: websvn
Severity: serious
Tags: security patch

Hi,

James Clawson reported:

"Arbitrary files with a known path can be accessed in websvn by committing a
symlink to a repository and then downloading the file (using the download
link).

An attacker must have write access to the repo, and the download option must
have been enabled in the websvn config file.

Example:
- Create a symlink to /etc/passwd and commit it to the repo.
- Access websvn and download the file.
- The downloaded file will be the web server's /etc/passwd (i.e. the symlink is
  resolved on the web server).

This will also work with symlinks to directories, but dlmode=zip must be added
to the download link manually. Zip must be installed manually to be able to
download directories."


I've assigned CVE-2013-6892 to this issue. Please mention it in the changelog
when fixing the issue.

I've created attached patch which solves the bug.

Cheers,
Thijs

diff -ur oud/dl.php nieuw/dl.php
--- oud/dl.php	2015-01-18 16:03:30.688791512 +0100
+++ nieuw/dl.php	2015-01-18 16:27:00.950897749 +0100
@@ -137,6 +137,18 @@
 		exit(0);
 	}
 
+	// For security reasons, disallow direct downloads of filenames that
+	// are a symlink, since they may be a symlink to anywhere (/etc/passwd)
+	// Deciding whether the symlink is relative and legal within the
+	// repository would be nice but seems to error prone at this moment.
+	if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
+		header('HTTP/1.x 500 Internal Server Error', true, 500);
+		error_log('to be downloaded file is symlink, aborting: '.$archiveName);
+		print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
+		removeDirectory($tempDir);
+		exit(0);
+	}
+
 	// Set timestamp of exported directory (and subdirectories) to timestamp of
 	// the revision so every archive of a given revision has the same timestamp.
 	$revDate = $logEntry->date;
@@ -180,7 +192,7 @@
 		$downloadMimeType = 'application/x-zip';
 		$downloadArchive .= '.zip';
 		// Create zip file
-		$cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
+		$cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
 		execCommand($cmd, $retcode);
 		if ($retcode != 0) {
 			error_log('Unable to call zip command: '.$cmd);

--- End Message ---

--- Begin Message ---

Source: websvn
Source-Version: 2.3.3-1.2

We believe that the bug you reported is fixed in the latest version of
websvn, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <th...@debian.org> (supplier of updated websvn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 24 Jan 2015 12:31:44 +0000
Source: websvn
Binary: websvn
Architecture: source all
Version: 2.3.3-1.2
Distribution: unstable
Urgency: high
Maintainer: Pierre Chifflier <pol...@debian.org>
Changed-By: Thijs Kinkhorst <th...@debian.org>
Description:
 websvn     - interface for Subversion repositories written in PHP
Closes: 775682
Changes:
 websvn (2.3.3-1.2) unstable; urgency=high
 .
   * Non-maintainer upload by the security team.
   * Disable download of in-repository symlinks to prevent arbitrary
     file access (CVE-2013-6892, Closes: #775682).
Checksums-Sha1:
 8434786c42750300417987374d152e48fd87ca4f 1380 websvn_2.3.3-1.2.dsc
 6d14165c21efafeeeb4f01dc2a18e9d2017b5ced 26396 websvn_2.3.3-1.2.debian.tar.xz
 b4030cda02864cd15b0d65d79a206027524e0712 218682 websvn_2.3.3-1.2_all.deb
Checksums-Sha256:
 d23ba68cc78822c8470ccb4b1a2c12f90429a2d693462e6e7855793309201527 1380 
websvn_2.3.3-1.2.dsc
 5a4b706c056b7d01602b58366040da02c5f2689ae448afe753517a0466448c9b 26396 
websvn_2.3.3-1.2.debian.tar.xz
 cdb48999168d50b5a022af5af6190e38f89e653394cbc9e6abef0db08f5befc9 218682 
websvn_2.3.3-1.2_all.deb
Files:
 ecb8e592b407c730f625d0cdeced228d 1380 devel optional websvn_2.3.3-1.2.dsc
 9c9a3255c6523e3abda707951e474aa9 26396 devel optional 
websvn_2.3.3-1.2.debian.tar.xz
 831e886cc4bca2ed9db14de7006a65bb 218682 devel optional websvn_2.3.3-1.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJUw5NLAAoJEFb2GnlAHawEg/YIAJDEcmeokMoWrSGF4kY4ccQK
5K9TXthJd/XijJP/w6IMRiydgnrS2ApRBqXehqO6avrXTZe7S/KekiCfn+C6NBzu
TMZayfmM1Os/WBNAwZrrd0xWVMwJZkacNdUGbAxzo2thLW1tmWitIFbke3LHbBkw
VeBLdUwVibWMbQ3/bsJASOxbG7hXkQHJP4zIVbF5WRJzcvQLZze43QE/lOWbQ9ET
Iq6anXOzBHjO0y12aL0Z2xMsaY3OgOwSRTdWpbbT2lzrXku0l8JJEO1L3+G3o65w
HxS6Z5tLgcniDe5kZAISoSXxhDto1Ho5zwsvsc+D6lI2hlR1IufnWoHYlQqPuB0=
=8q6M
-----END PGP SIGNATURE-----

--- End Message ---