Control: tags -1 pending Dear maintainer,
I've prepared a security update of psensor for Jessie versioned as 1.1.3-2+deb8u1. I intend to upload it shortly after this message. Please find attached the debdiff. Regards, Markus
diff -Nru psensor-1.1.3/debian/changelog psensor-1.1.3/debian/changelog --- psensor-1.1.3/debian/changelog 2014-10-13 09:20:27.000000000 +0200 +++ psensor-1.1.3/debian/changelog 2018-04-24 21:23:26.000000000 +0200 @@ -1,3 +1,12 @@ +psensor (1.1.3-2+deb8u1) jessie; urgency=high + + * Non-maintainer upload by the LTS team. + * Fix CVE-2014-10073: The create_response function in server/server.c in + Psensor allows Directory Traversal because it lacks a check for whether a + file is under the webserver directory. (Closes: #896195) + + -- Markus Koschany <a...@debian.org> Tue, 24 Apr 2018 21:23:26 +0200 + psensor (1.1.3-2) unstable; urgency=medium * debian/control diff -Nru psensor-1.1.3/debian/patches/CVE-2014-10073.patch psensor-1.1.3/debian/patches/CVE-2014-10073.patch --- psensor-1.1.3/debian/patches/CVE-2014-10073.patch 1970-01-01 01:00:00.000000000 +0100 +++ psensor-1.1.3/debian/patches/CVE-2014-10073.patch 2018-04-24 21:23:26.000000000 +0200 @@ -0,0 +1,74 @@ +From: Markus Koschany <a...@debian.org> +Date: Mon, 23 Apr 2018 23:51:42 +0200 +Subject: CVE-2014-10073 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896195 +Origin: http://git.wpitchoune.net/gitweb/?p=psensor.git;a=commitdiff;h=8b10426dcc0246c1712a99460dd470dcb1cc4d9c +--- + src/server/server.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/src/server/server.c b/src/server/server.c +index 5862586..fd5662a 100644 +--- a/src/server/server.c ++++ b/src/server/server.c +@@ -23,6 +23,7 @@ + #include <libintl.h> + #define _(str) gettext(str) + ++#include <limits.h> + #include <stdarg.h> + #include <stdio.h> + #include <stdlib.h> +@@ -246,13 +247,24 @@ static struct MHD_Response * + create_response(const char *nurl, const char *method, unsigned int *rp_code) + { + struct MHD_Response *resp = NULL; ++ char *rpath; ++ int n; + + if (!strncmp(nurl, URL_BASE_API_1_1, strlen(URL_BASE_API_1_1))) { + resp = create_response_api(nurl, method, rp_code); + } else { + char *fpath = get_path(nurl, server_data.www_dir); + +- resp = create_response_file(nurl, method, rp_code, fpath); ++ rpath = realpath(fpath, NULL); ++ if (rpath) { ++ n = strlen(server_data.www_dir); ++ if (!strncmp(server_data.www_dir, rpath, n)) ++ resp = create_response_file(nurl, ++ method, ++ rp_code, ++ fpath); ++ free(rpath); ++ } + + free(fpath); + } +@@ -347,7 +359,7 @@ int main(int argc, char *argv[]) + switch (optc) { + case 'w': + if (optarg) +- server_data.www_dir = strdup(optarg); ++ server_data.www_dir = realpath(optarg, NULL); + break; + case 'p': + if (optarg) +@@ -386,8 +398,14 @@ int main(int argc, char *argv[]) + exit(EXIT_FAILURE); + } + +- if (!server_data.www_dir) +- server_data.www_dir = strdup(DEFAULT_WWW_DIR); ++ if (!server_data.www_dir) { ++ server_data.www_dir = realpath(DEFAULT_WWW_DIR, NULL); ++ if (!server_data.www_dir) { ++ fprintf(stderr, ++ _("Webserver directory does not exist.\n")); ++ exit(EXIT_FAILURE); ++ } ++ } + + if (!log_file) + log_file = strdup(DEFAULT_LOG_FILE); diff -Nru psensor-1.1.3/debian/patches/series psensor-1.1.3/debian/patches/series --- psensor-1.1.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ psensor-1.1.3/debian/patches/series 2018-04-24 21:23:26.000000000 +0200 @@ -0,0 +1 @@ +CVE-2014-10073.patch
signature.asc
Description: OpenPGP digital signature
