Debian Bug report logs -
#775682
websvn: CVE-2013-6892: arbitrary file access when downloads enabled for users with commit access
Reported by: Thijs Kinkhorst <thijs@debian.org>
Date: Sun, 18 Jan 2015 16:42:01 UTC
Severity: serious
Tags: patch, security, upstream
Fixed in versions websvn/2.3.3-1.2, websvn/2.3.1-1+deb6u1, websvn/2.3.3-1.1+deb7u1
Done: Thijs Kinkhorst <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#775682; Package websvn.
(Sun, 18 Jan 2015 16:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Pierre Chifflier <pollux@debian.org>.
(Sun, 18 Jan 2015 16:42:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: websvn
Severity: serious
Tags: security patch
Hi,
James Clawson reported:
"Arbitrary files with a known path can be accessed in websvn by committing a
symlink to a repository and then downloading the file (using the download
link).
An attacker must have write access to the repo, and the download option must
have been enabled in the websvn config file.
Example:
- Create a symlink to /etc/passwd and commit it to the repo.
- Access websvn and download the file.
- The downloaded file will be the web server's /etc/passwd (i.e. the symlink is
resolved on the web server).
This will also work with symlinks to directories, but dlmode=zip must be added
to the download link manually. Zip must be installed manually to be able to
download directories."
I've assigned CVE-2013-6892 to this issue. Please mention it in the changelog
when fixing the issue.
I've created attached patch which solves the bug.
Cheers,
Thijs
[websvn_symlinks.patch (text/x-diff, attachment)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 18 Jan 2015 20:18:14 GMT) (full text, mbox, link).
Changed Bug title to 'websvn: CVE-2013-6892: arbitrary file access when downloads enabled for users with commit access' from 'arbitrary file access when downloads enabled for users with commit access'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 18 Jan 2015 20:18:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#775682; Package websvn.
(Sat, 24 Jan 2015 13:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Pierre Chifflier <pollux@debian.org>.
(Sat, 24 Jan 2015 13:30:04 GMT) (full text, mbox, link).
Message #14 received at 775682@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I've NMU'ed websvn for this security issue with attached debdiff.
Cheers,
Thijs
[websvn_nmudiff.debdiff (application/octet-stream, attachment)]
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Sat, 24 Jan 2015 13:36:06 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Sat, 24 Jan 2015 13:36:06 GMT) (full text, mbox, link).
Message #19 received at 775682-close@bugs.debian.org (full text, mbox, reply):
Source: websvn
Source-Version: 2.3.3-1.2
We believe that the bug you reported is fixed in the latest version of
websvn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775682@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated websvn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 24 Jan 2015 12:31:44 +0000
Source: websvn
Binary: websvn
Architecture: source all
Version: 2.3.3-1.2
Distribution: unstable
Urgency: high
Maintainer: Pierre Chifflier <pollux@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
websvn - interface for Subversion repositories written in PHP
Closes: 775682
Changes:
websvn (2.3.3-1.2) unstable; urgency=high
.
* Non-maintainer upload by the security team.
* Disable download of in-repository symlinks to prevent arbitrary
file access (CVE-2013-6892, Closes: #775682).
Checksums-Sha1:
8434786c42750300417987374d152e48fd87ca4f 1380 websvn_2.3.3-1.2.dsc
6d14165c21efafeeeb4f01dc2a18e9d2017b5ced 26396 websvn_2.3.3-1.2.debian.tar.xz
b4030cda02864cd15b0d65d79a206027524e0712 218682 websvn_2.3.3-1.2_all.deb
Checksums-Sha256:
d23ba68cc78822c8470ccb4b1a2c12f90429a2d693462e6e7855793309201527 1380 websvn_2.3.3-1.2.dsc
5a4b706c056b7d01602b58366040da02c5f2689ae448afe753517a0466448c9b 26396 websvn_2.3.3-1.2.debian.tar.xz
cdb48999168d50b5a022af5af6190e38f89e653394cbc9e6abef0db08f5befc9 218682 websvn_2.3.3-1.2_all.deb
Files:
ecb8e592b407c730f625d0cdeced228d 1380 devel optional websvn_2.3.3-1.2.dsc
9c9a3255c6523e3abda707951e474aa9 26396 devel optional websvn_2.3.3-1.2.debian.tar.xz
831e886cc4bca2ed9db14de7006a65bb 218682 devel optional websvn_2.3.3-1.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJUw5NLAAoJEFb2GnlAHawEg/YIAJDEcmeokMoWrSGF4kY4ccQK
5K9TXthJd/XijJP/w6IMRiydgnrS2ApRBqXehqO6avrXTZe7S/KekiCfn+C6NBzu
TMZayfmM1Os/WBNAwZrrd0xWVMwJZkacNdUGbAxzo2thLW1tmWitIFbke3LHbBkw
VeBLdUwVibWMbQ3/bsJASOxbG7hXkQHJP4zIVbF5WRJzcvQLZze43QE/lOWbQ9ET
Iq6anXOzBHjO0y12aL0Z2xMsaY3OgOwSRTdWpbbT2lzrXku0l8JJEO1L3+G3o65w
HxS6Z5tLgcniDe5kZAISoSXxhDto1Ho5zwsvsc+D6lI2hlR1IufnWoHYlQqPuB0=
=8q6M
-----END PGP SIGNATURE-----
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Sat, 24 Jan 2015 19:21:09 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Sat, 24 Jan 2015 19:21:09 GMT) (full text, mbox, link).
Message #24 received at 775682-close@bugs.debian.org (full text, mbox, reply):
Source: websvn
Source-Version: 2.3.1-1+deb6u1
We believe that the bug you reported is fixed in the latest version of
websvn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775682@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated websvn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 24 Jan 2015 12:31:44 +0000
Source: websvn
Binary: websvn
Architecture: source all
Version: 2.3.1-1+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Pierre Chifflier <pollux@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
websvn - interface for Subversion repositories written in PHP
Closes: 775682
Changes:
websvn (2.3.1-1+deb6u1) squeeze-lts; urgency=high
.
* Non-maintainer upload by the security team.
* Disable download of in-repository symlinks to prevent arbitrary
file access (CVE-2013-6892, Closes: #775682).
Checksums-Sha1:
0004104959ce476a2e739b290a5162234715af05 1327 websvn_2.3.1-1+deb6u1.dsc
9949834c4b5fa37f7f2240b47ccb7ca313fc8395 25518 websvn_2.3.1-1+deb6u1.diff.gz
f8aebd29348ab556a10ba14c3afef65c6d478228 256202 websvn_2.3.1-1+deb6u1_all.deb
Checksums-Sha256:
eff678346fcd66a944ac12bb3dec163ae7a5b2efe9ee0f5b1f730687646c0889 1327 websvn_2.3.1-1+deb6u1.dsc
c66257306a36cfc2c7be1a0782e9b64f6ff5d32d108c647607ef75b99c23008f 25518 websvn_2.3.1-1+deb6u1.diff.gz
b7bdafdaefae47a061abcef2c36c25e0479b38e71b5613c287e3bc16fca204b7 256202 websvn_2.3.1-1+deb6u1_all.deb
Files:
8d5c9d2d675778110bfac7db3cac9c3a 1327 devel optional websvn_2.3.1-1+deb6u1.dsc
dbb360110f92ea25558f525e114feb73 25518 devel optional websvn_2.3.1-1+deb6u1.diff.gz
03b330c89efbb8d45dabf77e990cafdd 256202 devel optional websvn_2.3.1-1+deb6u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJUw9tOAAoJEFb2GnlAHawEvZ0H+QGXnqEK6jPU3V0Lpru534nt
SEmPLjJBqcWarZVcak2Yx7P8tA99ZwksHFK+y5LbJrSALuQkkCc2fWOel4uJQzLj
9o8MczWrrQQKf8o3+hr6JlEnTz9rpMsytFTsBLvZx+9SmOpOGiNh4glGfoSDZD7h
LWLRSq+zrtbeNncD/FcgsEQIBz4nd44wkI7/Ss0DA8eTkvmSMEdipEZb+XYAgYKd
9G5QzYUvUwbAVw3tj7Qz2qb0UvWjvgk+W/jz5p1+OARehIXcmV8d2E5BfeovHQsy
No9GLkAkVLDPxxTxvFtVpNtBtYxRJ9Lh+RfN+Y4k6J01H98qzyrTGS49A4YouFM=
=pWDW
-----END PGP SIGNATURE-----
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Sun, 25 Jan 2015 15:21:10 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Sun, 25 Jan 2015 15:21:10 GMT) (full text, mbox, link).
Message #29 received at 775682-close@bugs.debian.org (full text, mbox, reply):
Source: websvn
Source-Version: 2.3.3-1.1+deb7u1
We believe that the bug you reported is fixed in the latest version of
websvn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775682@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated websvn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 24 Jan 2015 12:31:44 +0000
Source: websvn
Binary: websvn
Architecture: source all
Version: 2.3.3-1.1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Pierre Chifflier <pollux@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
websvn - interface for Subversion repositories written in PHP
Closes: 775682
Changes:
websvn (2.3.3-1.1+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the security team.
* Disable download of in-repository symlinks to prevent arbitrary
file access (CVE-2013-6892, Closes: #775682).
Checksums-Sha1:
3e6d6e1ca350074436c759f0cc70623506bb6050 1403 websvn_2.3.3-1.1+deb7u1.dsc
8425f1a98fb92ad28f8b13227ce1d4c73a323c7e 882779 websvn_2.3.3.orig.tar.gz
eb3cfa31f3106072447d65ca9c55898674407ee8 29916 websvn_2.3.3-1.1+deb7u1.debian.tar.gz
8d1f985dc4846129545d6add1b04114f9afc1a45 265618 websvn_2.3.3-1.1+deb7u1_all.deb
Checksums-Sha256:
e0402f9383544cd10832f891fe2f49525168f521932b08d3e61082b799184d9e 1403 websvn_2.3.3-1.1+deb7u1.dsc
67d5cb7ffb087f8a92e3dcad10f16612baac4d15a60d659aa8b6e06200ac8742 882779 websvn_2.3.3.orig.tar.gz
d720d785e2631f362b3de5edb3ef35df8b9acf0fca36e54fbbd5359448a131ff 29916 websvn_2.3.3-1.1+deb7u1.debian.tar.gz
d25bafd945786b16a3dc63fe25343d49a90344fcac9c6133ea68a3123a1347dc 265618 websvn_2.3.3-1.1+deb7u1_all.deb
Files:
47918f0cc67a6564c5d0bc9c06207f39 1403 devel optional websvn_2.3.3-1.1+deb7u1.dsc
bc1821caf77a3225aa810e8f19400ea6 882779 devel optional websvn_2.3.3.orig.tar.gz
6b67470acbec6fe4a694ca6de8393303 29916 devel optional websvn_2.3.3-1.1+deb7u1.debian.tar.gz
1df860bfc0a590811b8980778f1d0b0c 265618 devel optional websvn_2.3.3-1.1+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJUw9ZjAAoJEFb2GnlAHawEV40H/RVDuVBOdDnMVI3tYDe6UN1X
epzZ/hj2gKsMnnwCkfoZ4EPU5WYWjvvd7vi1XdmwukcDo1ITY5USpQyJDzCGnvob
RxlQrX8rI4ThJhjC6iDZ9wu5Do/HN/iEUbO8v9FSmVmzYnNWLWmXvqaKfgMlFKwO
YhXOg9fbXK6QfyVe3UzMAyyb6vQnsBMhbeAlkgE92i5GIsROKrnIIf7/rKiH5e9T
ZCgsYTIiQvKzLxA7yLhr5ro76yqopnJgX+hIktnAzeHO85K9I7ZEduuCYqkybtsn
lZer+68ZsiDV7e517hi2eETLXUY1jrlMZ/cozWiBz2RGf3xAlVD3kP4WqsQXyHQ=
=zrk9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 08:04:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:21:16 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon