Control: tags 891639 + patch Control: tags 891639 + pending Dear maintainer,
I've prepared an NMU for uwsgi (versioned as 2.0.15-10.4) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru uwsgi-2.0.15/debian/changelog uwsgi-2.0.15/debian/changelog --- uwsgi-2.0.15/debian/changelog 2018-03-10 23:16:35.000000000 +0100 +++ uwsgi-2.0.15/debian/changelog 2018-03-17 09:21:22.000000000 +0100 @@ -1,3 +1,11 @@ +uwsgi (2.0.15-10.4) unstable; urgency=medium + + * Non-maintainer upload. + * enforce php default document_root behaviour, to not show external files + (CVE-2018-7490) (Closes: #891639) + + -- Salvatore Bonaccorso <[email protected]> Sat, 17 Mar 2018 09:21:22 +0100 + uwsgi (2.0.15-10.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru uwsgi-2.0.15/debian/patches/0002-enforce-php-default-document_root-behaviour-to-not-s.patch uwsgi-2.0.15/debian/patches/0002-enforce-php-default-document_root-behaviour-to-not-s.patch --- uwsgi-2.0.15/debian/patches/0002-enforce-php-default-document_root-behaviour-to-not-s.patch 1970-01-01 01:00:00.000000000 +0100 +++ uwsgi-2.0.15/debian/patches/0002-enforce-php-default-document_root-behaviour-to-not-s.patch 2018-03-17 09:21:22.000000000 +0100 @@ -0,0 +1,61 @@ +From: Unbit <[email protected]> +Date: Sat, 17 Feb 2018 14:10:29 +0100 +Subject: enforce php default document_root behaviour, to not show external + files +Origin: https://github.com/unbit/uwsgi/commit/0a480f435ea6feb63deb410ad2bf376ed3f05f8a +Bug-Debian: https://bugs.debian.org/891639 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7490 + +--- + plugins/php/php_plugin.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/plugins/php/php_plugin.c b/plugins/php/php_plugin.c +index b9eed08b..0747adbf 100644 +--- a/plugins/php/php_plugin.c ++++ b/plugins/php/php_plugin.c +@@ -17,6 +17,7 @@ struct uwsgi_php { + struct uwsgi_string_list *vars; + struct uwsgi_string_list *constants; + char *docroot; ++ size_t docroot_len; + char *app; + char *app_qs; + char *fallback; +@@ -631,6 +632,8 @@ int uwsgi_php_init(void) { + uwsgi_log("unable to set php docroot to %s\n", orig_docroot); + exit(1); + } ++ uwsgi_log("PHP document root set to %s\n", uphp.docroot); ++ uphp.docroot_len = strlen(uphp.docroot); + } + + if (uphp.sapi_name) { +@@ -849,6 +852,7 @@ oldstyle: + free(filename); + real_filename_len = strlen(real_filename); + ++ // first check for valid doc roots + if (uphp.allowed_docroot) { + struct uwsgi_string_list *usl = uphp.allowed_docroot; + while(usl) { +@@ -861,6 +865,16 @@ oldstyle: + uwsgi_log("PHP security error: %s is not under an allowed docroot\n", real_filename); + return -1; + } ++ // then for default docroot (if any) ++ else if (uphp.docroot) ++ { ++ if (!uwsgi_starts_with(real_filename, real_filename_len, uphp.docroot, uphp.docroot_len)) { ++ goto secure; ++ } ++ uwsgi_403(wsgi_req); ++ uwsgi_log("PHP security error: %s is not under the default docroot\n", real_filename); ++ return -1; ++ } + + secure: + +-- +2.16.2 + diff -Nru uwsgi-2.0.15/debian/patches/series uwsgi-2.0.15/debian/patches/series --- uwsgi-2.0.15/debian/patches/series 2018-02-09 21:35:00.000000000 +0100 +++ uwsgi-2.0.15/debian/patches/series 2018-03-17 09:21:22.000000000 +0100 @@ -2,6 +2,7 @@ 020170503~ef58701.patch 020170604~8368f94.patch 0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch +0002-enforce-php-default-document_root-behaviour-to-not-s.patch 1001_avoid_setting_RPATH.patch 1002_fix-reload-process-name.patch 1003_remove-php-libs.patch
