From 2d51255ecc3d2e3c1e2ba0367c7a182501f59d15f00420021c520787dcd7037f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=C4=9Bzslav=20=C4=8C=C3=AD=C5=BEek?= Date: Tue, 3 Dec 2013 14:32:15 +0000 Subject: [PATCH] - fix CVE-2013-0348 (bnc#853381) * don't create a world readable logfile OBS-URL: https://build.opensuse.org/package/show/server:http/thttpd?expand=0&rev=19 --- thttpd-CVE-2013-0348.patch | 60 ++++++++++++++++++++++++++++++++++++++ thttpd.changes | 6 ++++ thttpd.spec | 2 ++ 3 files changed, 68 insertions(+) create mode 100644 thttpd-CVE-2013-0348.patch diff --git a/thttpd-CVE-2013-0348.patch b/thttpd-CVE-2013-0348.patch new file mode 100644 index 0000000..94711bd --- /dev/null +++ b/thttpd-CVE-2013-0348.patch @@ -0,0 +1,60 @@ +From d2e186dbd58d274a0dea9b59357edc8498b5388d Mon Sep 17 00:00:00 2001 +From: "Anthony G. Basile" +Date: Tue, 26 Feb 2013 14:28:26 -0500 +Subject: [PATCH] src/thttpd.c: Fix world readable log, CVE-2013-0348. + +Make sure that the logfile is created or reopened as read/write +by thttpd user only. + +X-gentoo-Bug: 458896 +X-gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=458896 +Reported-by: Agostino Sarubbo +Signed-off-by: Anthony G. Basile +--- + src/thttpd.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/thttpd.c b/src/thttpd.c +index 019b8c0..f33a7a7 100644 +--- a/src/thttpd.c ++++ b/src/thttpd.c +@@ -326,6 +326,7 @@ static void + re_open_logfile( void ) + { + FILE* logfp; ++ int retchmod; + + if ( no_log || hs == (httpd_server*) 0 ) + return; +@@ -335,7 +336,8 @@ re_open_logfile( void ) + { + syslog( LOG_NOTICE, "re-opening logfile" ); + logfp = fopen( logfile, "a" ); +- if ( logfp == (FILE*) 0 ) ++ retchmod = chmod( logfile, S_IRUSR|S_IWUSR ); ++ if ( logfp == (FILE*) 0 || retchmod != 0 ) + { + syslog( LOG_CRIT, "re-opening %.80s - %m", logfile ); + return; +@@ -355,6 +357,7 @@ main( int argc, char** argv ) + gid_t gid = 32767; + char cwd[MAXPATHLEN+1]; + FILE* logfp; ++ int retchmod; + int num_ready; + int cnum; + connecttab* c; +@@ -424,7 +427,8 @@ main( int argc, char** argv ) + else + { + logfp = fopen( logfile, "a" ); +- if ( logfp == (FILE*) 0 ) ++ retchmod = chmod( logfile, S_IRUSR|S_IWUSR ); ++ if ( logfp == (FILE*) 0 || retchmod != 0 ) + { + syslog( LOG_CRIT, "%.80s - %m", logfile ); + perror( logfile ); +-- +1.7.9.5 + + diff --git a/thttpd.changes b/thttpd.changes index 9b853de..9725b49 100644 --- a/thttpd.changes +++ b/thttpd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Dec 3 14:31:18 UTC 2013 - vcizek@suse.com + +- fix CVE-2013-0348 (bnc#853381) + * don't create a world readable logfile + ------------------------------------------------------------------- Thu Jun 27 21:03:49 UTC 2013 - crrodriguez@opensuse.org diff --git a/thttpd.spec b/thttpd.spec index 8279e2b..52108bf 100644 --- a/thttpd.spec +++ b/thttpd.spec @@ -38,6 +38,7 @@ Patch11: %{name}-%{version}-strcpy.patch Patch12: thttpd-2.25b-getline.patch # PATCH-FIX-SUSE CVE-2012-5640 Patch13: thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch +Patch14: thttpd-CVE-2013-0348.patch Url: http://www.acme.com/software/thttpd/ BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: Small and very simple webserver @@ -78,6 +79,7 @@ Authors: %patch11 %patch12 %patch13 -p1 +%patch14 -p1 %build cp /usr/share/automake-1.*/config.* .