Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: haavard_aa...@yahoo.no
These are the same changes which was implemented in stretch, two upstream patches. Both of these patches resolves a path traversal flaw, which was first discovered with CVE-2017-1000501. [ Reason ] This update fixes bug #891469 and #977197 which is CVE-2020-29600 and CVE-2020-35176 [ Impact ] Possibility to parse and read files in /etc directory [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Håvard diff -Nru awstats-7.6+dfsg/debian/changelog awstats-7.6+dfsg/debian/changelog --- awstats-7.6+dfsg/debian/changelog 2018-02-02 02:21:35.000000000 +0100 +++ awstats-7.6+dfsg/debian/changelog 2021-02-02 09:35:23.000000000 +0100 @@ -1,3 +1,19 @@ +awstats (7.6+dfsg-2+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * CVE-2020-29600: cgi-bin/awstats.pl?config= accepts an absolute + pathname, even though it was intended to only read a file in the + /etc/awstats/awstats.conf format. NOTE: this issue exists because of + an incomplete fix for CVE-2017-1000501. Closes: #891469 + * CVE-2020-35176: in AWStats through 7.8, cgi-bin/awstats.pl?config= + accepts a partial absolute pathname (omitting the initial /etc), even + though it was intended to only read a file in the + /etc/awstats/awstats.conf format. NOTE: this issue exists because of + an incomplete fix for CVE-2017-1000501 and CVE-2020-29600. + Closes: #977190 + + -- Håvard Flaget Aasen <haavard_aa...@yahoo.no> Tue, 02 Feb 2021 09:35:23 +0100 + awstats (7.6+dfsg-2) unstable; urgency=medium * QA upload. diff -Nru awstats-7.6+dfsg/debian/patches/CVE-2020-29600.patch awstats-7.6+dfsg/debian/patches/CVE-2020-29600.patch --- awstats-7.6+dfsg/debian/patches/CVE-2020-29600.patch 1970-01-01 01:00:00.000000000 +0100 +++ awstats-7.6+dfsg/debian/patches/CVE-2020-29600.patch 2021-02-02 09:35:23.000000000 +0100 @@ -0,0 +1,55 @@ +From: Laurent Destailleur <e...@destailleur.fr> +Date: Mon, 17 Dec 2018 12:59:51 +0100 +Subject: [PATCH] FIX #90 + +Fixes #90/CVE-2020-29600 + +Origin: upstream, https://github.com/eldy/awstats/commit/d4d815d0caae3dbae83ac70a1ae4581bd57cf376 +Bug: https://github.com/eldy/awstats/issues/90 +Bug-Debian: https://bugs.debian.org/#891469 +Last-Update: 2021-02-02 +Reviewed-by: Håvard Flaget Aasen <haavard_aa...@yahoo.no> + +--- + wwwroot/cgi-bin/awstats.pl | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +--- a/wwwroot/cgi-bin/awstats.pl ++++ b/wwwroot/cgi-bin/awstats.pl +@@ -1781,21 +1781,21 @@ + } + + #CL - Added to open config if full path is passed to awstats +- if ( !$FileConfig ) { +- +- my $SiteConfigBis = File::Spec->rel2abs($SiteConfig); +- debug("Finally, try to open an absolute path : $SiteConfigBis", 2); +- +- if ( -f $SiteConfigBis && open(CONFIG, "$SiteConfigBis")) { +- $FileConfig = "$SiteConfigBis"; +- $FileSuffix = ''; +- if ($Debug){debug("Opened config: $SiteConfigBis", 2);} +- $SiteConfig=$SiteConfigBis; +- } +- else { +- if ($Debug){debug("Unable to open config file: $SiteConfigBis", 2);} +- } +- } ++ #if ( !$FileConfig ) { ++ # ++ # my $SiteConfigBis = File::Spec->rel2abs($SiteConfig); ++ # debug("Finally, try to open an absolute path : $SiteConfigBis", 2); ++ # ++ # if ( -f $SiteConfigBis && open(CONFIG, "$SiteConfigBis")) { ++ # $FileConfig = "$SiteConfigBis"; ++ # $FileSuffix = ''; ++ # if ($Debug){debug("Opened config: $SiteConfigBis", 2);} ++ # $SiteConfig=$SiteConfigBis; ++ # } ++ # else { ++ # if ($Debug){debug("Unable to open config file: $SiteConfigBis", 2);} ++ # } ++ # } + + if ( !$FileConfig ) { + if ($DEBUGFORCED || !$ENV{'GATEWAY_INTERFACE'}){ diff -Nru awstats-7.6+dfsg/debian/patches/CVE-2020-35176.patch awstats-7.6+dfsg/debian/patches/CVE-2020-35176.patch --- awstats-7.6+dfsg/debian/patches/CVE-2020-35176.patch 1970-01-01 01:00:00.000000000 +0100 +++ awstats-7.6+dfsg/debian/patches/CVE-2020-35176.patch 2021-02-02 09:35:23.000000000 +0100 @@ -0,0 +1,33 @@ +From: Beuc <b...@beuc.net> +Date: Thu, 17 Dec 2020 18:14:43 +0100 +Subject: Only look for configuration in dedicated awstats directories + +Fixes #195/CVE-2020-35176 + +Origin: upstream, https://github.com/eldy/AWStats/pull/196/commits/0d4d4c05f8e73be8f71dd361dc55cbd52858b823 +Bug: https://github.com/eldy/awstats/issues/195 +Bug-Debian: https://bugs.debian.org/#977190 +--- + wwwroot/cgi-bin/awstats.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl +index a003993..598d6b7 100755 +--- a/wwwroot/cgi-bin/awstats.pl ++++ b/wwwroot/cgi-bin/awstats.pl +@@ -1677,13 +1677,13 @@ sub Read_Config { + # Check config file in common possible directories : + # Windows : "$DIR" (same dir than awstats.pl) + # Standard, Mandrake and Debian package : "/etc/awstats" +- # Other possible directories : "/usr/local/etc/awstats", "/etc" ++ # Other possible directories : "/usr/local/etc/awstats", + # FHS standard, Suse package : "/etc/opt/awstats" + my $configdir = shift; + my @PossibleConfigDir = ( + "$DIR", + "/etc/awstats", +- "/usr/local/etc/awstats", "/etc", ++ "/usr/local/etc/awstats", + "/etc/opt/awstats" + ); + diff -Nru awstats-7.6+dfsg/debian/patches/series awstats-7.6+dfsg/debian/patches/series --- awstats-7.6+dfsg/debian/patches/series 2017-12-15 21:55:12.000000000 +0100 +++ awstats-7.6+dfsg/debian/patches/series 2021-02-02 09:35:23.000000000 +0100 @@ -13,3 +13,5 @@ 2009_googlesearch.patch CVE-2017-1000501-1.patch CVE-2017-1000501-2.patch +CVE-2020-29600.patch +CVE-2020-35176.patch
