Date: Sun, 6 Mar 2016 18:26:39 +0000 (UTC) From: Raphael Kubo da Costa <rakuco@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r410474 - in head/devel/websvn: . files Message-ID: <201603061826.u26IQdFh080175@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rakuco Date: Sun Mar 6 18:26:38 2016 New Revision: 410474 URL: https://svnweb.freebsd.org/changeset/ports/410474 Log: Add patches to fix CVE-2013-6892 and CVE-2016-2511. PR: 207740 Approved by: ports-secteam (feld) MFH: 2016Q1 Added: head/devel/websvn/files/patch-CVE-2013-6892 (contents, props changed) head/devel/websvn/files/patch-CVE-2016-2511 (contents, props changed) Modified: head/devel/websvn/Makefile Modified: head/devel/websvn/Makefile ============================================================================== --- head/devel/websvn/Makefile Sun Mar 6 18:19:41 2016 (r410473) +++ head/devel/websvn/Makefile Sun Mar 6 18:26:38 2016 (r410474) @@ -3,6 +3,7 @@ PORTNAME= websvn PORTVERSION= 2.3.3 +PORTREVISION= 1 CATEGORIES= devel www MASTER_SITES= http://websvn.tigris.org/files/documents/1380/49056/ Added: head/devel/websvn/files/patch-CVE-2013-6892 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/devel/websvn/files/patch-CVE-2013-6892 Sun Mar 6 18:26:38 2016 (r410474) @@ -0,0 +1,37 @@ +Arbitrary files with a known path can be accessed in websvn by committing a +symlink to a repository and then downloading the file (using the download +link). + +Author: Thijs Kinkhorst <thijs@debian.org> + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682 +--- dl.php.orig 2011-06-27 09:02:52 UTC ++++ dl.php +@@ -137,6 +137,18 @@ if ($rep) { + exit(0); + } + ++ // For security reasons, disallow direct downloads of filenames that ++ // are a symlink, since they may be a symlink to anywhere (/etc/passwd) ++ // Deciding whether the symlink is relative and legal within the ++ // repository would be nice but seems to error prone at this moment. ++ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) { ++ header('HTTP/1.x 500 Internal Server Error', true, 500); ++ error_log('to be downloaded file is symlink, aborting: '.$archiveName); ++ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".'; ++ removeDirectory($tempDir); ++ exit(0); ++ } ++ + // Set timestamp of exported directory (and subdirectories) to timestamp of + // the revision so every archive of a given revision has the same timestamp. + $revDate = $logEntry->date; +@@ -180,7 +192,7 @@ if ($rep) { + $downloadMimeType = 'application/x-zip'; + $downloadArchive .= '.zip'; + // Create zip file +- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName); ++ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName); + execCommand($cmd, $retcode); + if ($retcode != 0) { + error_log('Unable to call zip command: '.$cmd); Added: head/devel/websvn/files/patch-CVE-2016-2511 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/devel/websvn/files/patch-CVE-2016-2511 Sun Mar 6 18:26:38 2016 (r410474) @@ -0,0 +1,12 @@ +Obtained from: Debian +--- include/setup.php.orig 2011-06-27 09:12:51 UTC ++++ include/setup.php +@@ -467,7 +467,7 @@ $vars['indexurl'] = $config->getURL('', + $vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26'); + + // To avoid a possible XSS exploit, need to clean up the passed-in path first +-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null; ++$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null; + if ($path === null || $path === '') + $path = '/'; + $vars['safepath'] = escape($path);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603061826.u26IQdFh080175>