From owner-svn-ports-branches@freebsd.org Sun Mar 6 18:30:24 2016 Return-Path: Delivered-To: svn-ports-branches@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28F9CAB6F6F; Sun, 6 Mar 2016 18:30:24 +0000 (UTC) (envelope-from rakuco@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0405712B3; Sun, 6 Mar 2016 18:30:23 +0000 (UTC) (envelope-from rakuco@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u26IUNG5080498; Sun, 6 Mar 2016 18:30:23 GMT (envelope-from rakuco@FreeBSD.org) Received: (from rakuco@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u26IUMJv080495; Sun, 6 Mar 2016 18:30:22 GMT (envelope-from rakuco@FreeBSD.org) Message-Id: <201603061830.u26IUMJv080495@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rakuco set sender to rakuco@FreeBSD.org using -f From: Raphael Kubo da Costa Date: Sun, 6 Mar 2016 18:30:22 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r410475 - in branches/2016Q1/devel/websvn: . files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Mar 2016 18:30:24 -0000 Author: rakuco Date: Sun Mar 6 18:30:22 2016 New Revision: 410475 URL: https://svnweb.freebsd.org/changeset/ports/410475 Log: MFH: r410474 Add patches to fix CVE-2013-6892 and CVE-2016-2511. PR: 207740 Approved by: ports-secteam (feld) Added: branches/2016Q1/devel/websvn/files/patch-CVE-2013-6892 - copied unchanged from r410474, head/devel/websvn/files/patch-CVE-2013-6892 branches/2016Q1/devel/websvn/files/patch-CVE-2016-2511 - copied unchanged from r410474, head/devel/websvn/files/patch-CVE-2016-2511 Modified: branches/2016Q1/devel/websvn/Makefile Directory Properties: branches/2016Q1/ (props changed) Modified: branches/2016Q1/devel/websvn/Makefile ============================================================================== --- branches/2016Q1/devel/websvn/Makefile Sun Mar 6 18:26:38 2016 (r410474) +++ branches/2016Q1/devel/websvn/Makefile Sun Mar 6 18:30:22 2016 (r410475) @@ -3,6 +3,7 @@ PORTNAME= websvn PORTVERSION= 2.3.3 +PORTREVISION= 1 CATEGORIES= devel www MASTER_SITES= http://websvn.tigris.org/files/documents/1380/49056/ Copied: branches/2016Q1/devel/websvn/files/patch-CVE-2013-6892 (from r410474, head/devel/websvn/files/patch-CVE-2013-6892) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2016Q1/devel/websvn/files/patch-CVE-2013-6892 Sun Mar 6 18:30:22 2016 (r410475, copy of r410474, head/devel/websvn/files/patch-CVE-2013-6892) @@ -0,0 +1,37 @@ +Arbitrary files with a known path can be accessed in websvn by committing a +symlink to a repository and then downloading the file (using the download +link). + +Author: Thijs Kinkhorst + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682 +--- dl.php.orig 2011-06-27 09:02:52 UTC ++++ dl.php +@@ -137,6 +137,18 @@ if ($rep) { + exit(0); + } + ++ // For security reasons, disallow direct downloads of filenames that ++ // are a symlink, since they may be a symlink to anywhere (/etc/passwd) ++ // Deciding whether the symlink is relative and legal within the ++ // repository would be nice but seems to error prone at this moment. ++ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) { ++ header('HTTP/1.x 500 Internal Server Error', true, 500); ++ error_log('to be downloaded file is symlink, aborting: '.$archiveName); ++ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".'; ++ removeDirectory($tempDir); ++ exit(0); ++ } ++ + // Set timestamp of exported directory (and subdirectories) to timestamp of + // the revision so every archive of a given revision has the same timestamp. + $revDate = $logEntry->date; +@@ -180,7 +192,7 @@ if ($rep) { + $downloadMimeType = 'application/x-zip'; + $downloadArchive .= '.zip'; + // Create zip file +- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName); ++ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName); + execCommand($cmd, $retcode); + if ($retcode != 0) { + error_log('Unable to call zip command: '.$cmd); Copied: branches/2016Q1/devel/websvn/files/patch-CVE-2016-2511 (from r410474, head/devel/websvn/files/patch-CVE-2016-2511) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2016Q1/devel/websvn/files/patch-CVE-2016-2511 Sun Mar 6 18:30:22 2016 (r410475, copy of r410474, head/devel/websvn/files/patch-CVE-2016-2511) @@ -0,0 +1,12 @@ +Obtained from: Debian +--- include/setup.php.orig 2011-06-27 09:12:51 UTC ++++ include/setup.php +@@ -467,7 +467,7 @@ $vars['indexurl'] = $config->getURL('', + $vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26'); + + // To avoid a possible XSS exploit, need to clean up the passed-in path first +-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null; ++$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null; + if ($path === null || $path === '') + $path = '/'; + $vars['safepath'] = escape($path);