svn commit: r410475 - in branches/2016Q1/devel/websvn: . files
Raphael Kubo da Costa
rakuco at FreeBSD.org
Sun Mar 6 18:30:24 UTC 2016
Author: rakuco
Date: Sun Mar 6 18:30:22 2016
New Revision: 410475
URL: https://svnweb.freebsd.org/changeset/ports/410475
Log:
MFH: r410474
Add patches to fix CVE-2013-6892 and CVE-2016-2511.
PR: 207740
Approved by: ports-secteam (feld)
Added:
branches/2016Q1/devel/websvn/files/patch-CVE-2013-6892
- copied unchanged from r410474, head/devel/websvn/files/patch-CVE-2013-6892
branches/2016Q1/devel/websvn/files/patch-CVE-2016-2511
- copied unchanged from r410474, head/devel/websvn/files/patch-CVE-2016-2511
Modified:
branches/2016Q1/devel/websvn/Makefile
Directory Properties:
branches/2016Q1/ (props changed)
Modified: branches/2016Q1/devel/websvn/Makefile
==============================================================================
--- branches/2016Q1/devel/websvn/Makefile Sun Mar 6 18:26:38 2016 (r410474)
+++ branches/2016Q1/devel/websvn/Makefile Sun Mar 6 18:30:22 2016 (r410475)
@@ -3,6 +3,7 @@
PORTNAME= websvn
PORTVERSION= 2.3.3
+PORTREVISION= 1
CATEGORIES= devel www
MASTER_SITES= http://websvn.tigris.org/files/documents/1380/49056/
Copied: branches/2016Q1/devel/websvn/files/patch-CVE-2013-6892 (from r410474, head/devel/websvn/files/patch-CVE-2013-6892)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2016Q1/devel/websvn/files/patch-CVE-2013-6892 Sun Mar 6 18:30:22 2016 (r410475, copy of r410474, head/devel/websvn/files/patch-CVE-2013-6892)
@@ -0,0 +1,37 @@
+Arbitrary files with a known path can be accessed in websvn by committing a
+symlink to a repository and then downloading the file (using the download
+link).
+
+Author: Thijs Kinkhorst <thijs at debian.org>
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
+--- dl.php.orig 2011-06-27 09:02:52 UTC
++++ dl.php
+@@ -137,6 +137,18 @@ if ($rep) {
+ exit(0);
+ }
+
++ // For security reasons, disallow direct downloads of filenames that
++ // are a symlink, since they may be a symlink to anywhere (/etc/passwd)
++ // Deciding whether the symlink is relative and legal within the
++ // repository would be nice but seems to error prone at this moment.
++ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
++ header('HTTP/1.x 500 Internal Server Error', true, 500);
++ error_log('to be downloaded file is symlink, aborting: '.$archiveName);
++ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
++ removeDirectory($tempDir);
++ exit(0);
++ }
++
+ // Set timestamp of exported directory (and subdirectories) to timestamp of
+ // the revision so every archive of a given revision has the same timestamp.
+ $revDate = $logEntry->date;
+@@ -180,7 +192,7 @@ if ($rep) {
+ $downloadMimeType = 'application/x-zip';
+ $downloadArchive .= '.zip';
+ // Create zip file
+- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
++ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
+ execCommand($cmd, $retcode);
+ if ($retcode != 0) {
+ error_log('Unable to call zip command: '.$cmd);
Copied: branches/2016Q1/devel/websvn/files/patch-CVE-2016-2511 (from r410474, head/devel/websvn/files/patch-CVE-2016-2511)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2016Q1/devel/websvn/files/patch-CVE-2016-2511 Sun Mar 6 18:30:22 2016 (r410475, copy of r410474, head/devel/websvn/files/patch-CVE-2016-2511)
@@ -0,0 +1,12 @@
+Obtained from: Debian
+--- include/setup.php.orig 2011-06-27 09:12:51 UTC
++++ include/setup.php
+@@ -467,7 +467,7 @@ $vars['indexurl'] = $config->getURL('',
+ $vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26');
+
+ // To avoid a possible XSS exploit, need to clean up the passed-in path first
+-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null;
++$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null;
+ if ($path === null || $path === '')
+ $path = '/';
+ $vars['safepath'] = escape($path);
More information about the svn-ports-all
mailing list