Your message dated Sun, 25 Jan 2015 15:17:16 +0000 with message-id <e1yfow8-0008jj...@franck.debian.org> and subject line Bug#775682: fixed in websvn 2.3.3-1.1+deb7u1 has caused the Debian Bug report #775682, regarding websvn: CVE-2013-6892: arbitrary file access when downloads enabled for users with commit access to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 775682: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: websvn Severity: serious Tags: security patch Hi, James Clawson reported: "Arbitrary files with a known path can be accessed in websvn by committing a symlink to a repository and then downloading the file (using the download link). An attacker must have write access to the repo, and the download option must have been enabled in the websvn config file. Example: - Create a symlink to /etc/passwd and commit it to the repo. - Access websvn and download the file. - The downloaded file will be the web server's /etc/passwd (i.e. the symlink is resolved on the web server). This will also work with symlinks to directories, but dlmode=zip must be added to the download link manually. Zip must be installed manually to be able to download directories." I've assigned CVE-2013-6892 to this issue. Please mention it in the changelog when fixing the issue. I've created attached patch which solves the bug. Cheers, Thijsdiff -ur oud/dl.php nieuw/dl.php --- oud/dl.php 2015-01-18 16:03:30.688791512 +0100 +++ nieuw/dl.php 2015-01-18 16:27:00.950897749 +0100 @@ -137,6 +137,18 @@ exit(0); } + // For security reasons, disallow direct downloads of filenames that + // are a symlink, since they may be a symlink to anywhere (/etc/passwd) + // Deciding whether the symlink is relative and legal within the + // repository would be nice but seems to error prone at this moment. + if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) { + header('HTTP/1.x 500 Internal Server Error', true, 500); + error_log('to be downloaded file is symlink, aborting: '.$archiveName); + print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".'; + removeDirectory($tempDir); + exit(0); + } + // Set timestamp of exported directory (and subdirectories) to timestamp of // the revision so every archive of a given revision has the same timestamp. $revDate = $logEntry->date; @@ -180,7 +192,7 @@ $downloadMimeType = 'application/x-zip'; $downloadArchive .= '.zip'; // Create zip file - $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName); + $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName); execCommand($cmd, $retcode); if ($retcode != 0) { error_log('Unable to call zip command: '.$cmd);
--- End Message ---
--- Begin Message ---Source: websvn Source-Version: 2.3.3-1.1+deb7u1 We believe that the bug you reported is fixed in the latest version of websvn, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 775...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <th...@debian.org> (supplier of updated websvn package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 24 Jan 2015 12:31:44 +0000 Source: websvn Binary: websvn Architecture: source all Version: 2.3.3-1.1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Pierre Chifflier <pol...@debian.org> Changed-By: Thijs Kinkhorst <th...@debian.org> Description: websvn - interface for Subversion repositories written in PHP Closes: 775682 Changes: websvn (2.3.3-1.1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the security team. * Disable download of in-repository symlinks to prevent arbitrary file access (CVE-2013-6892, Closes: #775682). Checksums-Sha1: 3e6d6e1ca350074436c759f0cc70623506bb6050 1403 websvn_2.3.3-1.1+deb7u1.dsc 8425f1a98fb92ad28f8b13227ce1d4c73a323c7e 882779 websvn_2.3.3.orig.tar.gz eb3cfa31f3106072447d65ca9c55898674407ee8 29916 websvn_2.3.3-1.1+deb7u1.debian.tar.gz 8d1f985dc4846129545d6add1b04114f9afc1a45 265618 websvn_2.3.3-1.1+deb7u1_all.deb Checksums-Sha256: e0402f9383544cd10832f891fe2f49525168f521932b08d3e61082b799184d9e 1403 websvn_2.3.3-1.1+deb7u1.dsc 67d5cb7ffb087f8a92e3dcad10f16612baac4d15a60d659aa8b6e06200ac8742 882779 websvn_2.3.3.orig.tar.gz d720d785e2631f362b3de5edb3ef35df8b9acf0fca36e54fbbd5359448a131ff 29916 websvn_2.3.3-1.1+deb7u1.debian.tar.gz d25bafd945786b16a3dc63fe25343d49a90344fcac9c6133ea68a3123a1347dc 265618 websvn_2.3.3-1.1+deb7u1_all.deb Files: 47918f0cc67a6564c5d0bc9c06207f39 1403 devel optional websvn_2.3.3-1.1+deb7u1.dsc bc1821caf77a3225aa810e8f19400ea6 882779 devel optional websvn_2.3.3.orig.tar.gz 6b67470acbec6fe4a694ca6de8393303 29916 devel optional websvn_2.3.3-1.1+deb7u1.debian.tar.gz 1df860bfc0a590811b8980778f1d0b0c 265618 devel optional websvn_2.3.3-1.1+deb7u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJUw9ZjAAoJEFb2GnlAHawEV40H/RVDuVBOdDnMVI3tYDe6UN1X epzZ/hj2gKsMnnwCkfoZ4EPU5WYWjvvd7vi1XdmwukcDo1ITY5USpQyJDzCGnvob RxlQrX8rI4ThJhjC6iDZ9wu5Do/HN/iEUbO8v9FSmVmzYnNWLWmXvqaKfgMlFKwO YhXOg9fbXK6QfyVe3UzMAyyb6vQnsBMhbeAlkgE92i5GIsROKrnIIf7/rKiH5e9T ZCgsYTIiQvKzLxA7yLhr5ro76yqopnJgX+hIktnAzeHO85K9I7ZEduuCYqkybtsn lZer+68ZsiDV7e517hi2eETLXUY1jrlMZ/cozWiBz2RGf3xAlVD3kP4WqsQXyHQ= =zrk9 -----END PGP SIGNATURE-----
--- End Message ---
