552684 – (CVE-2013-6892) <www-apps/websvn-2.3.3-r1: Symlink attack (CVE-2013-6892)

Bug 552684 (CVE-2013-6892) - <www-apps/websvn-2.3.3-r1: Symlink attack (CVE-2013-6892)

Summary: <www-apps/websvn-2.3.3-r1: Symlink attack (CVE-2013-6892)

Status:	RESOLVED FIXED

Alias:	CVE-2013-6892

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:	575486 CVE-2016-1236
	Show dependency tree

Reported:	2015-06-20 21:14 UTC by GLSAMaker/CVETool Bot
Modified:	2017-01-16 04:39 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=www-apps/websvn-2.3.3-r1
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2015-06-20 21:14:00 UTC

CVE-2013-6892 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6892):
  WebSVN 2.3.3 allows remote authenticated users to read arbitrary files via a
  symlink attack in a commit.

Comment 1 Brian Evans (RETIRED) gentoo-dev

2016-01-11 15:40:13 UTC

Debian has a patch at https://sources.debian.net/patches/patch/websvn/2.3.3-1.2/13_security_CVE-2013-6892.patch/

I would be willing to apply this along with bug 552838 if no one has objections

Comment 2 Brian Evans (RETIRED) gentoo-dev

2016-01-13 00:05:08 UTC

Then again, this package will self-destruct with >=dev-lang/php-7.0 without major surgery.

Perhaps we should kill it?

Comment 3 Brian Evans (RETIRED) gentoo-dev

2016-08-11 18:32:39 UTC

Upstream is dead; Patches come from Debian

commit:     196fa9022f136bcbd82ab6f52a8d4c617b0603d6
Author:     Brian Evans <grknight <AT> gentoo <DOT> org>
AuthorDate: Thu Aug 11 18:21:29 2016 +0000
Commit:     Brian Evans <grknight <AT> gentoo <DOT> org>
CommitDate: Thu Aug 11 18:26:27 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=196fa902

www-apps/websvn: Non-maintainer security revision bump and EAPI cleanup

Remove the deprecated depend.php wrt bug 552838
Include Debian security patches wrt bug 552684, bug 575486, and bug 582234

Package-Manager: portage-2.3.0

 .../websvn/files/13_security_CVE-2013-6892.patch   | 39 ++++++++++++++
 www-apps/websvn/files/30_CVE-2016-2511.patch       | 11 ++++
 www-apps/websvn/files/31_CVE-2016-1236.patch       | 61 ++++++++++++++++++++++
 www-apps/websvn/websvn-2.3.3-r1.ebuild             | 54 +++++++++++++++++++
 4 files changed, 165 insertions(+)

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2016-10-22 13:30:45 UTC

@arches, please stabilize:

=www-apps/websvn-2.3.3-r1

Comment 5 Agostino Sarubbo gentoo-dev

2016-10-26 10:12:52 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2016-10-26 10:13:53 UTC

x86 stable

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2016-11-04 13:21:16 UTC

Stable for PPC64.

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2016-11-26 05:28:53 UTC

@ppc, please finalize stabilization.

Comment 9 Agostino Sarubbo gentoo-dev

2017-01-15 15:51:52 UTC

ppc stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-15 18:53:35 UTC

GLSA Vote: No

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2017-01-16 04:39:18 UTC

tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=804196e1f28457f9538c4b234b43e21befb83dcf