Hi Yves, On Mon, Jan 07, 2013 at 09:32:48PM +0100, Yves-Alexis Perez wrote: > On lun., 2013-01-07 at 09:11 +0100, Daniel Pocock wrote: > > On 07/01/13 07:27, Yves-Alexis Perez wrote: > > > On lun., 2013-01-07 at 00:35 +0100, Daniel Pocock wrote: > > > > > >> Yes, the 3.1.8 security fix from upstream has been packaged and has > > >> been waiting for security team to process through to the archive > > >> > > > Can you elaborate on that? > > > > > > > > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683584#25 > > > > was done before I became a DD, so although I could upload the fix into > > git.debian.org, I did not have any access to upload any binary package > > > > Has somebody built and uploaded to the archive already? As it is for > > current stable branch, can I upload myself or does the security team > > take care of the upload? > > Please provide a debdiff against stable.
I tried to look at this myself and found upstream commit [1], for a similar commit. [1]: https://github.com/ganglia/ganglia-web/commit/b9f47b0eb9ae81144e90544b04e85bed15c8c2f4 Comparing the diff 3.1.7 to 3.1.8 source I find this: ----cut---------cut---------cut---------cut---------cut---------cut----- diff -urN source-ganglia/ganglia-3.1.7/web/graph.php ganglia-3.1.8/web/graph.php --- source-ganglia/ganglia-3.1.7/web/graph.php 2010-02-17 12:05:39.000000000 +0100 +++ ganglia-3.1.8/web/graph.php 2012-08-15 19:12:12.000000000 +0200 @@ -1,5 +1,5 @@ <?php -/* $Id: graph.php 2183 2010-01-07 16:09:55Z d_pocock $ */ +/* $Id$ */ include_once "./eval_config.php"; include_once "./get_context.php"; include_once "./functions.php"; @@ -122,7 +122,7 @@ $graph_file = "$graphdir/$graph.php"; -if ( is_readable($graph_file) ) { +if ( is_readable($graph_file) and realpath($graphdir) === dirname(realpath($graph_file)) ) { include_once($graph_file); $graph_function = "graph_${graph}"; ----cut---------cut---------cut---------cut---------cut---------cut----- By passing g= argument, it is possible to traverse the path and load another file and execute code from it. Attached is the debdiff against 3.1.7-1 in squeeze. Regards, Salvatore
diff -u ganglia-3.1.7/debian/changelog ganglia-3.1.7/debian/changelog
--- ganglia-3.1.7/debian/changelog
+++ ganglia-3.1.7/debian/changelog
@@ -1,3 +1,13 @@
+ganglia (3.1.7-1+squeeze1) stable-security; urgency=high
+
+ * Non-maintainer upload.
+ * Fix for path traversal issue when supplying name of a graph
+ web/graph.php: Check for path traversal issues by making sure real path
+ is actually in graphdir. Fixes CVE-2012-3448.
+ Fix backported from ganglia 3.1.8. (Closes: #683584)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 19 Jan 2013 10:04:17 +0100
+
ganglia (3.1.7-1) unstable; urgency=low
* New upstream version. Closes: #584276.
only in patch2:
unchanged:
--- ganglia-3.1.7.orig/web/graph.php
+++ ganglia-3.1.7/web/graph.php
@@ -122,7 +122,7 @@
$graph_file = "$graphdir/$graph.php";
-if ( is_readable($graph_file) ) {
+if ( is_readable($graph_file) and realpath($graphdir) ===
dirname(realpath($graph_file)) ) {
include_once($graph_file);
$graph_function = "graph_${graph}";
signature.asc
Description: Digital signature
