diff -u uzbl-0.0.0~git.20111128/debian/changelog uzbl-0.0.0~git.20111128/debian/changelog --- uzbl-0.0.0~git.20111128/debian/changelog +++ uzbl-0.0.0~git.20111128/debian/changelog @@ -1,3 +1,10 @@ +uzbl (0.0.0~git.20111128-2) unstable; urgency=high + + * Security fix for CVE-2012-0843 + + Restrict third-party access to cookie jar (Closes: #659379) + + -- Luca Bruno Tue, 14 Feb 2012 18:14:55 +0100 + uzbl (0.0.0~git.20111128-1) unstable; urgency=low * New upstream version diff -u uzbl-0.0.0~git.20111128/debian/patches/series uzbl-0.0.0~git.20111128/debian/patches/series --- uzbl-0.0.0~git.20111128/debian/patches/series +++ uzbl-0.0.0~git.20111128/debian/patches/series @@ -1 +1 @@ -fix-bashisms +CVE-2012-0843.patch only in patch2: unchanged: --- uzbl-0.0.0~git.20111128.orig/debian/patches/CVE-2012-0843.patch +++ uzbl-0.0.0~git.20111128/debian/patches/CVE-2012-0843.patch @@ -0,0 +1,74 @@ +commit 0d747f8715f2b9d2acddda8748e0c3f838f197de +Author: Luca Bruno +Date: Sat Feb 11 15:23:14 2012 +0100 + + Restrict third-party access to cookie jar (CVE-2012-0843) + + Make sure new cookie jar is created with no permission for "others", + and remove excessive rights on existing jar if any. + This fixes CVE-2012-0843 and uzbl bug #291. + + Signed-off-by: Luca Bruno + +diff --git a/examples/data/plugins/cookies.py b/examples/data/plugins/cookies.py +index e29ee36..721feef 100644 +--- a/examples/data/plugins/cookies.py ++++ b/examples/data/plugins/cookies.py +@@ -2,7 +2,7 @@ + forwards cookies to all other instances connected to the event manager""" + + from collections import defaultdict +-import os, re ++import os, re, stat + + # these are symbolic names for the components of the cookie tuple + symbolic = {'domain': 0, 'path':1, 'name':2, 'value':3, 'scheme':4, 'expires':5} +@@ -32,6 +32,14 @@ class ListStore(list): + class TextStore(object): + def __init__(self, filename): + self.filename = filename ++ try: ++ # make sure existing cookie jar is not world-open ++ perm_mode = os.stat(self.filename).st_mode ++ if (perm_mode & (stat.S_IRWXO | stat.S_IRWXG)) > 0: ++ safe_perm = stat.S_IMODE(perm_mode) & ~(stat.S_IRWXO | stat.S_IRWXG) ++ os.chmod(self.filename, safe_perm) ++ except OSError: ++ pass + + def as_event(self, cookie): + """Convert cookie.txt row to uzbls cookie event format""" +@@ -76,16 +84,25 @@ class TextStore(object): + # delete equal cookies (ignoring expire time, value and secure flag) + self.delete_cookie(None, cookie[:-3]) + ++ # restrict umask before creating the cookie jar ++ curmask=os.umask(0) ++ os.umask(curmask| stat.S_IRWXO | stat.S_IRWXG) ++ + first = not os.path.exists(self.filename) + with open(self.filename, 'a') as f: + if first: + print >> f, "# HTTP Cookie File" + print >> f, '\t'.join(self.as_file(cookie)) ++ os.umask(curmask) + + def delete_cookie(self, rkey, key): + if not os.path.exists(self.filename): + return + ++ # restrict umask before creating the cookie jar ++ curmask=os.umask(0) ++ os.umask(curmask | stat.S_IRWXO | stat.S_IRWXG) ++ + # read all cookies + with open(self.filename, 'r') as f: + cookies = f.readlines() +@@ -96,6 +113,7 @@ class TextStore(object): + c = self.as_event(l.split('\t')) + if c is None or not match(key, c): + print >> f, l, ++ os.umask(curmask) + + xdg_data_home = os.environ.get('XDG_DATA_HOME', os.path.join(os.environ['HOME'], '.local/share')) + DefaultStore = TextStore(os.path.join(xdg_data_home, 'uzbl/cookies.txt'))