FreeBSD Bugzilla – Attachment 167760 Details for
Bug 207740
devel/websvn: Add patches for CVE-2013-6892 and CVE-2016-2511
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch
websvn-cves.diff (text/plain), 3.55 KB, created by
Raphael Kubo da Costa
on 2016-03-06 13:26:14 UTC
(
hide
)
Description:
Proposed patch
Filename:
MIME Type:
Creator:
Raphael Kubo da Costa
Created:
2016-03-06 13:26:14 UTC
Size:
3.55 KB
patch
obsolete
>Index: Makefile >=================================================================== >--- Makefile (revision 410457) >+++ Makefile (working copy) >@@ -3,6 +3,7 @@ > > PORTNAME= websvn > PORTVERSION= 2.3.3 >+PORTREVISION= 1 > CATEGORIES= devel www > MASTER_SITES= http://websvn.tigris.org/files/documents/1380/49056/ > >Index: files/patch-CVE-2013-6892 >=================================================================== >--- files/patch-CVE-2013-6892 (nonexistent) >+++ files/patch-CVE-2013-6892 (working copy) >@@ -0,0 +1,37 @@ >+Arbitrary files with a known path can be accessed in websvn by committing a >+symlink to a repository and then downloading the file (using the download >+link). >+ >+Author: Thijs Kinkhorst <thijs@debian.org> >+ >+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682 >+--- dl.php.orig 2011-06-27 09:02:52 UTC >++++ dl.php >+@@ -137,6 +137,18 @@ if ($rep) { >+ exit(0); >+ } >+ >++ // For security reasons, disallow direct downloads of filenames that >++ // are a symlink, since they may be a symlink to anywhere (/etc/passwd) >++ // Deciding whether the symlink is relative and legal within the >++ // repository would be nice but seems to error prone at this moment. >++ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) { >++ header('HTTP/1.x 500 Internal Server Error', true, 500); >++ error_log('to be downloaded file is symlink, aborting: '.$archiveName); >++ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".'; >++ removeDirectory($tempDir); >++ exit(0); >++ } >++ >+ // Set timestamp of exported directory (and subdirectories) to timestamp of >+ // the revision so every archive of a given revision has the same timestamp. >+ $revDate = $logEntry->date; >+@@ -180,7 +192,7 @@ if ($rep) { >+ $downloadMimeType = 'application/x-zip'; >+ $downloadArchive .= '.zip'; >+ // Create zip file >+- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName); >++ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName); >+ execCommand($cmd, $retcode); >+ if ($retcode != 0) { >+ error_log('Unable to call zip command: '.$cmd); > >Property changes on: files/patch-CVE-2013-6892 >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: files/patch-CVE-2016-2511 >=================================================================== >--- files/patch-CVE-2016-2511 (nonexistent) >+++ files/patch-CVE-2016-2511 (working copy) >@@ -0,0 +1,12 @@ >+Obtained from: Debian >+--- include/setup.php.orig 2011-06-27 09:12:51 UTC >++++ include/setup.php >+@@ -467,7 +467,7 @@ $vars['indexurl'] = $config->getURL('', >+ $vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26'); >+ >+ // To avoid a possible XSS exploit, need to clean up the passed-in path first >+-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null; >++$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null; >+ if ($path === null || $path === '') >+ $path = '/'; >+ $vars['safepath'] = escape($path); > >Property changes on: files/patch-CVE-2016-2511 >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=167760">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
rakuco
:
maintainer-approval+
Actions:
View
|
Diff
Attachments on
bug 207740
: 167760