aboutsummaryrefslogtreecommitdiffstats
path: root/community
diff options
context:
space:
mode:
authorFrancesco Colista <fcolista@alpinelinux.org>2019-07-04 06:28:50 +0000
committerFrancesco Colista <fcolista@alpinelinux.org>2019-07-04 06:31:45 +0000
commitb40ea6190be45c9b281f309f8724510d65fed4a9 (patch)
tree0ccc103e3bad12b0ea03b8f2a93e16aa20920041 /community
parent011b9d5c5ae0af504ab1bb28a042d56676636a00 (diff)
downloadaports-b40ea6190be45c9b281f309f8724510d65fed4a9.tar.bz2
aports-b40ea6190be45c9b281f309f8724510d65fed4a9.tar.xz
community/patchwork: security fix for CVE-2019-13122
Diffstat (limited to 'community')
-rw-r--r--community/patchwork/APKBUILD13
-rw-r--r--community/patchwork/CVE-2019-13122.patch91
2 files changed, 100 insertions, 4 deletions
diff --git a/community/patchwork/APKBUILD b/community/patchwork/APKBUILD
index 93117533ba..6cc8e9a1c1 100644
--- a/community/patchwork/APKBUILD
+++ b/community/patchwork/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=patchwork
pkgver=2.0.1
-pkgrel=0
+pkgrel=1
pkgdesc="Web-based patch tracking system"
url="https://github.com/getpatchwork/patchwork"
arch="noarch"
@@ -15,12 +15,16 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/getpatchwork/$pkgname/archiv
0001-support-busybox-readlink.patch
0002-remove-uneeded-bashism-from-tools-and-change-path.patch
nginx-uwsgi-patchwork-conf.ini
- nginx-patchwork.conf"
+ nginx-patchwork.conf
+ CVE-2019-13122.patch"
builddir="$srcdir"/$pkgname-$pkgver
+# secfixes:
+# 2.0.1-r1:
+# - CVE-2019-13122
+
build() {
- cd "$builddir"
return 0
}
@@ -80,4 +84,5 @@ sha512sums="95dcfcdf19de0a65a77ab4274de82457c969e3a65705da25cbec742e4d6671e51e62
5facc2c2620b2d614011bcdc06bb481fb1481c79333579e5a7fa5b8bc4f97d1651cc8c4632a5e150b62674d64c00345341229319f1edb2016721868e84146826 0001-support-busybox-readlink.patch
f6d3590b3ac53797e0ae25fe50ab0935608be5ded44665599cbc91e93558895eddc6a7a717153d81fc194b314d7854686577ef5ecf9e0302b7824ce3b3863f7b 0002-remove-uneeded-bashism-from-tools-and-change-path.patch
28911a25e00a254237f7214fb681e5e984a2eae331e610be62967d5e246958e0f8d3f84861d8fd17c1190c1df72a25f28ddb33843b3679a3864beb00cb4b4961 nginx-uwsgi-patchwork-conf.ini
-862dd2522236a0b18d2a8d06f1ad91ad0fd0936fa502d95e09556641e67d42e1212821bfd7fb98923e4fe8b8a7369ded8c23831fb496b1e2833d9831c1b23725 nginx-patchwork.conf"
+862dd2522236a0b18d2a8d06f1ad91ad0fd0936fa502d95e09556641e67d42e1212821bfd7fb98923e4fe8b8a7369ded8c23831fb496b1e2833d9831c1b23725 nginx-patchwork.conf
+fb1e70245d285e725a85d8c37a97ba5d393ccd7c1704130be9d518a44721e23ffe85345e325ef172bc23c959a3159b113616c5ecd8b80c560730a79177272f8a CVE-2019-13122.patch"
diff --git a/community/patchwork/CVE-2019-13122.patch b/community/patchwork/CVE-2019-13122.patch
new file mode 100644
index 0000000000..4c23714a2c
--- /dev/null
+++ b/community/patchwork/CVE-2019-13122.patch
@@ -0,0 +1,91 @@
+From 556f750d8d723791fded3476bcd9885d4b97355b Mon Sep 17 00:00:00 2001
+From: Andrew Donnellan <ajd@linux.ibm.com>
+Date: Mon, 1 Jul 2019 15:28:03 +1000
+Subject: [PATCH 1/2] templatetags: Do not mark output of msgid tag as safe
+
+The msgid template tag exists to remove angle brackets from either side of
+the Message-ID header.
+
+It also marks its output as safe, meaning it does not get autoescaped by
+Django templating.
+
+Its output is not safe. A maliciously crafted email can include HTML tags
+inside the Message-ID header, and as long as the angle brackets are not at
+the start and end of the header, we will quite happily render them.
+
+Rather than using mark_safe(), use escape() to explicitly escape the
+Message-ID.
+
+Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
+---
+ patchwork/templatetags/patch.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/patchwork/templatetags/patch.py b/patchwork/templatetags/patch.py
+index ea5a71de362f..757f873b6043 100644
+--- a/patchwork/templatetags/patch.py
++++ b/patchwork/templatetags/patch.py
+@@ -5,6 +5,7 @@
+ # SPDX-License-Identifier: GPL-2.0-or-later
+
+ from django import template
++from django.utils.html import escape
+ from django.utils.safestring import mark_safe
+ from django.template.defaultfilters import stringfilter
+
+@@ -64,4 +65,4 @@ def patch_checks(patch):
+ @register.filter
+ @stringfilter
+ def msgid(value):
+- return mark_safe(value.strip('<>'))
++ return escape(value.strip('<>'))
+--
+2.20.1
+
+From 3bf1aa7568a9a1f08f13ed28c5ac6102841bd4dd Mon Sep 17 00:00:00 2001
+From: Andrew Donnellan <ajd@linux.ibm.com>
+Date: Mon, 1 Jul 2019 18:04:53 +1000
+Subject: [PATCH 2/2] tests: Add test for unescaped values in patch detail page
+
+Add a test to check whether we are escaping values from the Patch model on
+the patch detail page.
+
+This test shouldn't be relied upon as proof that we've escaped everything
+correctly, but may help catch regressions.
+
+Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
+---
+ patchwork/tests/test_detail.py | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/patchwork/tests/test_detail.py b/patchwork/tests/test_detail.py
+index 4ca1c9cda2f9..18408ecb95f6 100644
+--- a/patchwork/tests/test_detail.py
++++ b/patchwork/tests/test_detail.py
+@@ -34,6 +34,23 @@ class PatchViewTest(TestCase):
+ response = self.client.get(requested_url)
+ self.assertRedirects(response, redirect_url)
+
++ def test_escaping(self):
++ # Warning: this test doesn't guarantee anything - it only tests some
++ # fields
++ unescaped_string = 'blah<b>TEST</b>blah'
++ patch = create_patch()
++ patch.diff = unescaped_string
++ patch.commit_ref = unescaped_string
++ patch.pull_url = unescaped_string
++ patch.name = unescaped_string
++ patch.msgid = unescaped_string
++ patch.headers = unescaped_string
++ patch.content = unescaped_string
++ patch.save()
++ requested_url = reverse('patch-detail', kwargs={'patch_id': patch.id})
++ response = self.client.get(requested_url)
++ self.assertNotIn('<b>TEST</b>'.encode('utf-8'), response.content)
++
+
+ class CommentRedirectTest(TestCase):
+
+--
+2.20.1
+