Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 6 Mar 2016 18:30:22 +0000 (UTC)
From:      Raphael Kubo da Costa <rakuco@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r410475 - in branches/2016Q1/devel/websvn: . files
Message-ID:  <201603061830.u26IUMJv080495@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: rakuco
Date: Sun Mar  6 18:30:22 2016
New Revision: 410475
URL: https://svnweb.freebsd.org/changeset/ports/410475

Log:
  MFH: r410474
  
  Add patches to fix CVE-2013-6892 and CVE-2016-2511.
  
  PR:		207740
  Approved by:	ports-secteam (feld)

Added:
  branches/2016Q1/devel/websvn/files/patch-CVE-2013-6892
     - copied unchanged from r410474, head/devel/websvn/files/patch-CVE-2013-6892
  branches/2016Q1/devel/websvn/files/patch-CVE-2016-2511
     - copied unchanged from r410474, head/devel/websvn/files/patch-CVE-2016-2511
Modified:
  branches/2016Q1/devel/websvn/Makefile
Directory Properties:
  branches/2016Q1/   (props changed)

Modified: branches/2016Q1/devel/websvn/Makefile
==============================================================================
--- branches/2016Q1/devel/websvn/Makefile	Sun Mar  6 18:26:38 2016	(r410474)
+++ branches/2016Q1/devel/websvn/Makefile	Sun Mar  6 18:30:22 2016	(r410475)
@@ -3,6 +3,7 @@
 
 PORTNAME=	websvn
 PORTVERSION=	2.3.3
+PORTREVISION=	1
 CATEGORIES=	devel www
 MASTER_SITES=	http://websvn.tigris.org/files/documents/1380/49056/
 

Copied: branches/2016Q1/devel/websvn/files/patch-CVE-2013-6892 (from r410474, head/devel/websvn/files/patch-CVE-2013-6892)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2016Q1/devel/websvn/files/patch-CVE-2013-6892	Sun Mar  6 18:30:22 2016	(r410475, copy of r410474, head/devel/websvn/files/patch-CVE-2013-6892)
@@ -0,0 +1,37 @@
+Arbitrary files with a known path can be accessed in websvn by committing a
+symlink to a repository and then downloading the file (using the download
+link).
+
+Author: Thijs Kinkhorst <thijs@debian.org>
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
+--- dl.php.orig	2011-06-27 09:02:52 UTC
++++ dl.php
+@@ -137,6 +137,18 @@ if ($rep) {
+ 		exit(0);
+ 	}
+ 
++	// For security reasons, disallow direct downloads of filenames that
++	// are a symlink, since they may be a symlink to anywhere (/etc/passwd)
++	// Deciding whether the symlink is relative and legal within the
++	// repository would be nice but seems to error prone at this moment.
++	if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
++		header('HTTP/1.x 500 Internal Server Error', true, 500);
++		error_log('to be downloaded file is symlink, aborting: '.$archiveName);
++		print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
++		removeDirectory($tempDir);
++		exit(0);
++	}
++
+ 	// Set timestamp of exported directory (and subdirectories) to timestamp of
+ 	// the revision so every archive of a given revision has the same timestamp.
+ 	$revDate = $logEntry->date;
+@@ -180,7 +192,7 @@ if ($rep) {
+ 		$downloadMimeType = 'application/x-zip';
+ 		$downloadArchive .= '.zip';
+ 		// Create zip file
+-		$cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
++		$cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
+ 		execCommand($cmd, $retcode);
+ 		if ($retcode != 0) {
+ 			error_log('Unable to call zip command: '.$cmd);

Copied: branches/2016Q1/devel/websvn/files/patch-CVE-2016-2511 (from r410474, head/devel/websvn/files/patch-CVE-2016-2511)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2016Q1/devel/websvn/files/patch-CVE-2016-2511	Sun Mar  6 18:30:22 2016	(r410475, copy of r410474, head/devel/websvn/files/patch-CVE-2016-2511)
@@ -0,0 +1,12 @@
+Obtained from: Debian
+--- include/setup.php.orig	2011-06-27 09:12:51 UTC
++++ include/setup.php
+@@ -467,7 +467,7 @@ $vars['indexurl'] = $config->getURL('', 
+ $vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26');
+ 
+ // To avoid a possible XSS exploit, need to clean up the passed-in path first
+-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null;
++$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null;
+ if ($path === null || $path === '')
+ 	$path = '/';
+ $vars['safepath'] = escape($path);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603061830.u26IUMJv080495>