Make log read/write by thttpd user only, bug #458896, CVE-2013-0348

Package-Manager: portage-2.1.11.50/cvs/Linux x86_64 Manifest-Sign-Key: 0xF52D4BBA
author: Anthony G. Basile <blueness@gentoo.org> 2013-02-26 20:04:43 +0000
committer: Anthony G. Basile <blueness@gentoo.org> 2013-02-26 20:04:43 +0000
commit: 74e3b04afe074e56ccceeac9092b9bea07bd9e54 (patch)
tree: 04159a96fba6c352743fa6a1432405447d811793 /www-servers
parent: Version bump (#458822 by Manuel Rüger (mrueg)) (diff)
download: historical-74e3b04afe074e56ccceeac9092b9bea07bd9e54.tar.gz
historical-74e3b04afe074e56ccceeac9092b9bea07bd9e54.tar.bz2
historical-74e3b04afe074e56ccceeac9092b9bea07bd9e54.zip
4 files changed, 154 insertions, 5 deletions
diff --git a/www-servers/thttpd/ChangeLog b/www-servers/thttpd/ChangeLog
index 0d4a24d38e36..4659e51a2eac 100644
--- a/www-servers/thttpd/ChangeLog
+++ b/www-servers/thttpd/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for www-servers/thttpd
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-servers/thttpd/ChangeLog,v 1.57 2013/02/25 21:27:58 zmedico Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-servers/thttpd/ChangeLog,v 1.58 2013/02/26 20:04:32 blueness Exp $
+
+*thttpd-2.26.4-r2 (26 Feb 2013)
+
+  26 Feb 2013; Anthony G. Basile <blueness@gentoo.org>
+  +files/thttpd-fix-world-readable-log.patch, +thttpd-2.26.4-r2.ebuild:
+  Make log read/write by thttpd user only, bug #458896, CVE-2013-0348
 
   25 Feb 2013; Zac Medico <zmedico@gentoo.org> thttpd-2.26.4-r1.ebuild:
   Add ~arm-linux keyword.
diff --git a/www-servers/thttpd/Manifest b/www-servers/thttpd/Manifest
index 49070b531cf1..56960280163b 100644
--- a/www-servers/thttpd/Manifest
+++ b/www-servers/thttpd/Manifest
@@ -1,18 +1,30 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX thttpd-fix-world-readable-log.patch 1705 SHA256 b193cd25ffbb784c06c0623abaf66378ede510038c225fe174b61630369ac0c5 SHA512 ba03577741bcef20018087942738565136d7cc00e9df4fcc917505190949212363a0b8c48d36211fef9a0552585c175544f7092a6ec22b191409d39679d5f1e3 WHIRLPOOL 2f69c863a69ece8406ae6990026d1f0db7ef04667715f5d55b065e7ed2b2079817351cb4cf9c68b93d7bffba958e4b5e9d5ef8f6a6057c77cebaee68610aa419
 AUX thttpd.conf.sample 670 SHA256 abdf9f7c6685f846ee2bd482d60b8f8cedc3747cbc3d32c0dd21d6ca8a4dd8de SHA512 97c8582438518bf528b6d419fdb7bd94668e91e6b7033a3ed5cda4afb3539e38bf24aea5ae4b138ff2c561c95003e7f85cfa7ce88cd97e8cbbf558bc4147d2c6 WHIRLPOOL 3831498f048ea44e3969e97d9436f6a61d4afc88e95e3aa5910fb3f8a3fc8acde9f1ff63f935eba0c0636e6f592c2f8c441044666322888a2ac7f257ec6925a3
 AUX thttpd.confd.1 1263 SHA256 79e5cb1fba2b80c1c7970093861f8afe7e09d723faf8e044fc540742abdc37bc SHA512 83b8d5aebf180c398e27695bcfc9b847f6535302b4521be460ffd2e867b20fcf1083bcacdb605e557038c54631546a7ee1ba928611a6a23d786fb9f6ef9e0ee0 WHIRLPOOL a8bec5f119ac3e3856938c1753f8bde1f8d1839c94f3a1f4180d29932f2c79066e64b696f18babf847367bb4f96c9267567a0a6db9239bbc0ce1946738781ca8
 AUX thttpd.init.1 734 SHA256 d3945c6fd088c02a51157c4aaf722f4b9b5accfa5aded37fe26fd447904621cd SHA512 8fba38fbf1591a665e08ad8ef7f3b02e99ec8b6708f8b3941a913e088367d00c68210ea8019cc88b30deadd3372c8fb05188019a5c4deb94444d12e81aaad106 WHIRLPOOL 8c7e0506ac5b4c74325b12a034da81a2f4ae8eeaa10f5e39ba70093568e6b7e202f493c66754210585c8a42ab90b188071e4d734ee23069c913d69ad62255a41
 AUX thttpd.logrotate 197 SHA256 0399d9fdc31a5555307d33c4744b21271e9d7d4d6ded78573fb9b2210f593bc6 SHA512 a481c8c2d3a4526b04d6c95873336e46368e32e6f254f7453f5ccefe38cb11104ecacd7829caa7881df81c0d36c1dd4f60a91bbc7696fa349ed9c2cc7ddc84cd WHIRLPOOL 79577136bbfdf6b2b6026f1e114d4af8a66712abd0efc892f96f5ac0c084341621a3f413102764a750bf101237b9ae52424a2cd6f1b0b92b4430037faf954a6b
 DIST sthttpd-2.26.4.tar.gz 194544 SHA256 78e87979140cbda123c81b4051552242dbbffb5dec1a17e5f95ec4826b1eaddb SHA512 64d0ab4720cc0a8926bc8537d335f5238e5343cf6caad837fe09fe46bfaaaa7013b690193905b3db31a5e945141e7fb3aca52355459ff151ce56b30cfefccd87 WHIRLPOOL e38cce33dd417ce8e30426d0764797e24ebfab2060bacf2f27ee2717b2025e48e6f32245cc6a5ebfed856f8755098f1540ec7ed2005aad1aeff65454dd731c1a
 EBUILD thttpd-2.26.4-r1.ebuild 1710 SHA256 b1adcab824cb9b1cdb144cdd770fbfb99497b04350fd232d2fcdfdfbf4e6a9da SHA512 25452f644ec4cb81ceb7d0120886b801eecc7a6c52280c9d0fd4c8ceb5e2bb4999eebcef2fc5186c4e034247dcbdf51535d059c860ff8647f306fdbe013e0753 WHIRLPOOL 5c85ee6826c0bc25ae555dd585ad9211a78fa1f672fef6604e968d2d680d6d08f1ee5b216bad03437ffddbae28169fd0e7b9f8604b37a1f6c81da9315317895e
-MISC ChangeLog 10918 SHA256 bf8c0c266ba28cd94c2e8afed6278da2b3159d70b0de82001f321d2f32d25f22 SHA512 30418748a1f043e26fb6b8cdd2fcf83539710a62416ad50102c89f0727e71c69100d9bbd831b448c6c74eb6ac979f8a782ea71b6a2edc23fbc2156d128e84ea3 WHIRLPOOL 18f23c8b327cb9d73616687081c32ffc2892974557aba1846078de1dcdc0517d155d592d84c2633c01e1eced3d19f2534776f7b20748b58a2d7bf2d824931b96
+EBUILD thttpd-2.26.4-r2.ebuild 1794 SHA256 8d21236955a08197eedd9339c2c86e9fb47c25ef9925cefb0c33e4b9309e1de7 SHA512 cdfd725541d7d454fc56fc03b106fee7acfa2f70367753c45bd1679643d6733a900588e61752a373f04aa54217a7537a6386a937eadf22f77ccd3c7e25cefbee WHIRLPOOL 3d58c9a4c60956bf5d2837a427345814fa9447c64a3065ee8984f3163907acd3860a1524233d234367db971189f973bd87c661d27a067a0d83d2f9b32816d1f7
+MISC ChangeLog 11150 SHA256 66ddb1fcb52602d576fb736a4d4a0841f0da1f12d0c2b73bca6ce75c17949413 SHA512 704a5733378203ae2220108e9bcfb3892b62e28a00316764e40dae5fbe50852891ecfc4d1d60c51da8f8ba2acc957dc19d3047a7dbbd89aa6886ffc3040e5f04 WHIRLPOOL 15579f6043706b41b2e21c9da1cfb4862a54608aa970ce754f0af91a9d4b653f046243a574597334b512356ee34fc4b4b15d5b53bef6d33f0e17ae8bd2c9ba53
 MISC metadata.xml 234 SHA256 86b598d5029ad9988722ec63434ea041be297ddbb0b2e290025f3b9737427ae9 SHA512 6bae37c6cc1d1145120c93ca1e2dcfe44019a51ef00edbc4ce132dbbe1f349a0eb854d6b0c1e4585fb4026a2142d23cc6ea493fc8ceb1aba7d8e3a404ad81491 WHIRLPOOL ee79d3a53e7c3d2b2af95c299347c823a6e6270eb7130c5dabaf966ef7615c063fced95a444e81165cf7c04543247654afa1195c2dc085e34cc8194a9a63f75e
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iEYEAREIAAYFAlEr118ACgkQ/ejvha5XGaNsTACfflNv2ieuiryv8PimX9lD5T+Q
-DLsAn3PDnr0se9hjR22JwXsrhrhqi7yS
-=3iC4
+iQIcBAEBCAAGBQJRLRVGAAoJEJOE+m71LUu6vkoP/1EiNXH+27noz/JTDt6wohoj
+7zG7R0jjK99KP7w5yDi5Sbu6nSXGP4YGKoSbzaCcZb1MQ2JvvldoMdjV1WaZOZmI
+tK5d0iq3Aa0f8XwjoGj+Ea1Iv4MW4oZ+z9Lwvdw2vRZm0dEUnz8wDRWnhLmzDHad
++LzaNW/ZxOqT7lq899KxEayE9tSMoxxKG3K5lCzsOtXzAHSb/vTbUiq4y37UJU2R
+5SbyOcD6v1IquM1aQBy+hkJoUm1KWXcdwb+WCZN2J4pIfp2rwRNB4MqP4Uq58gS1
+TxQDbJAm5FmxD5fk6TAa9bN2GpknNMRfnOgmEmkmEkKDg0DFYFAWobiQ7MkY5waF
+ZYEofHQ86AlnljRk2Ky+5v6DhaDWkRf7Fz8P1XjqVHzJ2bMfgRWk2YWYDEd7u492
+1aVTSUNCqtTaA3tQY9/4HrP4OUwmUUYdaESzVPJ8edh0z7R7mnkw5wtIJLbazJ2J
+0jqiSSLVq4tPPDP9VdoyyrjwNLTP3tVYGvlxpUFuE8TFDJ9b0kPLmgsYjEr2tssg
+2pnfZ7ca3dB0eIgpSMvnJEkJtVUPLzsIlmvzkTI4MXl+2X114ilnCaayZ3tzNHhM
+/PRYOSmuu5CQirs5oqVM8AHwWxwjeHnepTiLcEewnpVz7Pqyv1QmwVaeQaYDNmdh
+25xMLZ9hcjfHA8ngq3Lr
+=Cv51
 -----END PGP SIGNATURE-----
diff --git a/www-servers/thttpd/files/thttpd-fix-world-readable-log.patch b/www-servers/thttpd/files/thttpd-fix-world-readable-log.patch
new file mode 100644
index 000000000000..5c011bac52b5
--- /dev/null
+++ b/www-servers/thttpd/files/thttpd-fix-world-readable-log.patch
@@ -0,0 +1,59 @@
+From d2e186dbd58d274a0dea9b59357edc8498b5388d Mon Sep 17 00:00:00 2001
+From: "Anthony G. Basile" <blueness@gentoo.org>
+Date: Tue, 26 Feb 2013 14:28:26 -0500
+Subject: [PATCH] src/thttpd.c: Fix world readable log, CVE-2013-0348.
+
+Make sure that the logfile is created or reopened as read/write
+by thttpd user only.
+
+X-gentoo-Bug: 458896
+X-gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=458896
+Reported-by:  Agostino Sarubbo <ago@gentoo.org>
+Signed-off-by: Anthony G. Basile <basile@opensource.dyc.edu>
+---
+ src/thttpd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/thttpd.c b/src/thttpd.c
+index 019b8c0..f33a7a7 100644
+--- a/src/thttpd.c
++++ b/src/thttpd.c
+@@ -326,6 +326,7 @@ static void
+ re_open_logfile( void )
+     {
+     FILE* logfp;
++    int retchmod;
+ 
+     if ( no_log || hs == (httpd_server*) 0 )
+ 	return;
+@@ -335,7 +336,8 @@ re_open_logfile( void )
+ 	{
+ 	syslog( LOG_NOTICE, "re-opening logfile" );
+ 	logfp = fopen( logfile, "a" );
+-	if ( logfp == (FILE*) 0 )
++	retchmod = chmod( logfile, S_IRUSR|S_IWUSR );
++	if ( logfp == (FILE*) 0 || retchmod != 0 )
+ 	    {
+ 	    syslog( LOG_CRIT, "re-opening %.80s - %m", logfile );
+ 	    return;
+@@ -355,6 +357,7 @@ main( int argc, char** argv )
+     gid_t gid = 32767;
+     char cwd[MAXPATHLEN+1];
+     FILE* logfp;
++    int retchmod;
+     int num_ready;
+     int cnum;
+     connecttab* c;
+@@ -424,7 +427,8 @@ main( int argc, char** argv )
+ 	else
+ 	    {
+ 	    logfp = fopen( logfile, "a" );
+-	    if ( logfp == (FILE*) 0 )
++	    retchmod = chmod( logfile, S_IRUSR|S_IWUSR );
++	    if ( logfp == (FILE*) 0 || retchmod != 0 )
+ 		{
+ 		syslog( LOG_CRIT, "%.80s - %m", logfile );
+ 		perror( logfile );
+-- 
+1.7.12.4
+
diff --git a/www-servers/thttpd/thttpd-2.26.4-r2.ebuild b/www-servers/thttpd/thttpd-2.26.4-r2.ebuild
new file mode 100644
index 000000000000..44304462ee3b
--- /dev/null
+++ b/www-servers/thttpd/thttpd-2.26.4-r2.ebuild
@@ -0,0 +1,72 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-servers/thttpd/thttpd-2.26.4-r2.ebuild,v 1.1 2013/02/26 20:04:32 blueness Exp $
+
+EAPI="4"
+
+inherit eutils flag-o-matic toolchain-funcs
+
+MY_P="s${P}"
+
+DESCRIPTION="Fork of thttpd, a small, fast, multiplexing webserver."
+HOMEPAGE="http://opensource.dyc.edu/sthttpd"
+SRC_URI="http://opensource.dyc.edu/pub/sthttpd/${MY_P}.tar.gz"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux"
+IUSE=""
+
+RDEPEND=""
+DEPEND=""
+
+WEBROOT="/var/www/localhost"
+
+THTTPD_USER=thttpd
+THTTPD_GROUP=thttpd
+THTTPD_DOCROOT="${EPREFIX}${WEBROOT}/htdocs"
+
+DOCS=( README TODO )
+
+pkg_setup() {
+	ebegin "Creating thttpd user and group"
+	enewgroup ${THTTPD_GROUP}
+	enewuser ${THTTPD_USER} -1 -1 -1 ${THTTPD_GROUP}
+}
+
+src_prepare () {
+	epatch "${FILESDIR}"/thttpd-fix-world-readable-log.patch
+}
+
+src_configure() {
+	econf WEBDIR=${THTTPD_DOCROOT}
+}
+
+src_install () {
+	default
+
+	newinitd "${FILESDIR}"/thttpd.init.1 thttpd
+	newconfd "${FILESDIR}"/thttpd.confd.1 thttpd
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}/thttpd.logrotate" thttpd
+
+	insinto /etc/thttpd
+	doins "${FILESDIR}"/thttpd.conf.sample
+
+	#move htdocs to docdir, bug #429632
+	docompress -x /usr/share/doc/"${PF}"/htdocs.dist
+	mv "${ED}"${WEBROOT}/htdocs \
+		"${ED}"/usr/share/doc/"${PF}"/htdocs.dist
+	mkdir "${ED}"${WEBROOT}/htdocs
+
+	keepdir ${WEBROOT}/htdocs
+
+	chown root:${THTTPD_GROUP} "${ED}/usr/sbin/makeweb" \
+		|| die "Failed chown makeweb"
+	chmod 2751 "${ED}/usr/sbin/makeweb" \
+		|| die "Failed chmod makeweb"
+	chmod 755 "${ED}/usr/share/doc/${PF}/htdocs.dist/cgi-bin/printenv" \
+		|| die "Failed chmod printenv"
+}
author	Anthony G. Basile <blueness@gentoo.org>	2013-02-26 20:04:43 +0000
committer	Anthony G. Basile <blueness@gentoo.org>	2013-02-26 20:04:43 +0000
commit	74e3b04afe074e56ccceeac9092b9bea07bd9e54 (patch)
tree	04159a96fba6c352743fa6a1432405447d811793 /www-servers
parent	Version bump (#458822 by Manuel Rüger (mrueg)) (diff)
download	historical-74e3b04afe074e56ccceeac9092b9bea07bd9e54.tar.gz historical-74e3b04afe074e56ccceeac9092b9bea07bd9e54.tar.bz2 historical-74e3b04afe074e56ccceeac9092b9bea07bd9e54.zip