Bug 552684 (CVE-2013-6892)

Summary:	<www-apps/websvn-2.3.3-r1: Symlink attack (CVE-2013-6892)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	grknight, web-apps
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B4 [noglsa cve]
Package list:	=www-apps/websvn-2.3.3-r1	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	575486, 582234

Description GLSAMaker/CVETool Bot gentoo-dev

2015-06-20 21:14:00 UTC

CVE-2013-6892 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6892):
  WebSVN 2.3.3 allows remote authenticated users to read arbitrary files via a
  symlink attack in a commit.

Comment 1 Brian Evans (RETIRED) gentoo-dev

2016-01-11 15:40:13 UTC

Debian has a patch at https://sources.debian.net/patches/patch/websvn/2.3.3-1.2/13_security_CVE-2013-6892.patch/

I would be willing to apply this along with bug 552838 if no one has objections

Comment 2 Brian Evans (RETIRED) gentoo-dev

2016-01-13 00:05:08 UTC

Then again, this package will self-destruct with >=dev-lang/php-7.0 without major surgery.

Perhaps we should kill it?

Comment 3 Brian Evans (RETIRED) gentoo-dev

2016-08-11 18:32:39 UTC

Upstream is dead; Patches come from Debian

commit:     196fa9022f136bcbd82ab6f52a8d4c617b0603d6
Author:     Brian Evans <grknight <AT> gentoo <DOT> org>
AuthorDate: Thu Aug 11 18:21:29 2016 +0000
Commit:     Brian Evans <grknight <AT> gentoo <DOT> org>
CommitDate: Thu Aug 11 18:26:27 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=196fa902

www-apps/websvn: Non-maintainer security revision bump and EAPI cleanup

Remove the deprecated depend.php wrt bug 552838
Include Debian security patches wrt bug 552684, bug 575486, and bug 582234

Package-Manager: portage-2.3.0

 .../websvn/files/13_security_CVE-2013-6892.patch   | 39 ++++++++++++++
 www-apps/websvn/files/30_CVE-2016-2511.patch       | 11 ++++
 www-apps/websvn/files/31_CVE-2016-1236.patch       | 61 ++++++++++++++++++++++
 www-apps/websvn/websvn-2.3.3-r1.ebuild             | 54 +++++++++++++++++++
 4 files changed, 165 insertions(+)

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2016-10-22 13:30:45 UTC

@arches, please stabilize:

=www-apps/websvn-2.3.3-r1

Comment 5 Agostino Sarubbo gentoo-dev

2016-10-26 10:12:52 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2016-10-26 10:13:53 UTC

x86 stable

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2016-11-04 13:21:16 UTC

Stable for PPC64.

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2016-11-26 05:28:53 UTC

@ppc, please finalize stabilization.

Comment 9 Agostino Sarubbo gentoo-dev

2017-01-15 15:51:52 UTC

ppc stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-15 18:53:35 UTC

GLSA Vote: No

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2017-01-16 04:39:18 UTC

tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=804196e1f28457f9538c4b234b43e21befb83dcf