Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 552684 (CVE-2013-6892) - <www-apps/websvn-2.3.3-r1: Symlink attack (CVE-2013-6892)
Summary: <www-apps/websvn-2.3.3-r1: Symlink attack (CVE-2013-6892)
Status: RESOLVED FIXED
Alias: CVE-2013-6892
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks: 575486 CVE-2016-1236
  Show dependency tree
 
Reported: 2015-06-20 21:14 UTC by GLSAMaker/CVETool Bot
Modified: 2017-01-16 04:39 UTC (History)
2 users (show)

See Also:
Package list:
=www-apps/websvn-2.3.3-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-06-20 21:14:00 UTC
CVE-2013-6892 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6892):
  WebSVN 2.3.3 allows remote authenticated users to read arbitrary files via a
  symlink attack in a commit.
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2016-01-11 15:40:13 UTC
Debian has a patch at https://sources.debian.net/patches/patch/websvn/2.3.3-1.2/13_security_CVE-2013-6892.patch/

I would be willing to apply this along with bug 552838 if no one has objections
Comment 2 Brian Evans Gentoo Infrastructure gentoo-dev 2016-01-13 00:05:08 UTC
Then again, this package will self-destruct with >=dev-lang/php-7.0 without major surgery.

Perhaps we should kill it?
Comment 3 Brian Evans Gentoo Infrastructure gentoo-dev 2016-08-11 18:32:39 UTC
Upstream is dead; Patches come from Debian

commit:     196fa9022f136bcbd82ab6f52a8d4c617b0603d6
Author:     Brian Evans <grknight <AT> gentoo <DOT> org>
AuthorDate: Thu Aug 11 18:21:29 2016 +0000
Commit:     Brian Evans <grknight <AT> gentoo <DOT> org>
CommitDate: Thu Aug 11 18:26:27 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=196fa902

www-apps/websvn: Non-maintainer security revision bump and EAPI cleanup

Remove the deprecated depend.php wrt bug 552838
Include Debian security patches wrt bug 552684, bug 575486, and bug 582234

Package-Manager: portage-2.3.0

 .../websvn/files/13_security_CVE-2013-6892.patch   | 39 ++++++++++++++
 www-apps/websvn/files/30_CVE-2016-2511.patch       | 11 ++++
 www-apps/websvn/files/31_CVE-2016-1236.patch       | 61 ++++++++++++++++++++++
 www-apps/websvn/websvn-2.3.3-r1.ebuild             | 54 +++++++++++++++++++
 4 files changed, 165 insertions(+)
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-22 13:30:45 UTC
@arches, please stabilize:

=www-apps/websvn-2.3.3-r1
Comment 5 Agostino Sarubbo gentoo-dev 2016-10-26 10:12:52 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-10-26 10:13:53 UTC
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2016-11-04 13:21:16 UTC
Stable for PPC64.
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-26 05:28:53 UTC
@ppc, please finalize stabilization.
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-15 15:51:52 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Thomas Deutschmann gentoo-dev Security 2017-01-15 18:53:35 UTC
GLSA Vote: No