diff -u cherrypy3-3.0.2/debian/control cherrypy3-3.0.2/debian/control --- cherrypy3-3.0.2/debian/control +++ cherrypy3-3.0.2/debian/control @@ -1,7 +1,8 @@ Source: cherrypy3 Section: python Priority: optional -Maintainer: Gustavo Noronha Silva +Maintainer: Ubuntu MOTU Developers +XSBC-Original-Maintainer: Gustavo Noronha Silva Uploaders: Debian Python Modules Team Build-Depends: cdbs (>= 0.4.42), debhelper (>= 5.0.37.1), python-setuptools (>= 0.6a9-1), python-all-dev (>= 2.3.5-11), python-support (>= 0.6.4) Build-Depends-Indep: python-epydoc diff -u cherrypy3-3.0.2/debian/changelog cherrypy3-3.0.2/debian/changelog --- cherrypy3-3.0.2/debian/changelog +++ cherrypy3-3.0.2/debian/changelog @@ -1,3 +1,15 @@ +cherrypy3 (3.0.2-1ubuntu0.1) gutsy-security; urgency=low + + * SECURITY UPDATE: directory traversal via session cookie ID. + - debian/patches/10_CVE-2008-0252.diff: Add. Ensure that the path + generated from the session ID is within the session directory. Patch + from upstream SVN. (LP: #187481) + - References: + + CVE-2008-0252 + * Modify Maintainer value to match the DebianMaintainerField specification. + + -- William Grant Sun, 09 Mar 2008 15:31:25 +1100 + cherrypy3 (3.0.2-1) unstable; urgency=low * New upstream release only in patch2: unchanged: --- cherrypy3-3.0.2.orig/debian/patches/10_CVE-2008-0252.diff +++ cherrypy3-3.0.2/debian/patches/10_CVE-2008-0252.diff @@ -0,0 +1,15 @@ +diff -Nur -x '*.orig' -x '*~' cherrypy3-3.0.2/cherrypy/lib/sessions.py cherrypy3-3.0.2.new/cherrypy/lib/sessions.py +--- cherrypy3-3.0.2/cherrypy/lib/sessions.py 2007-08-06 10:04:44.000000000 +1000 ++++ cherrypy3-3.0.2.new/cherrypy/lib/sessions.py 2008-03-09 15:06:25.000000000 +1100 +@@ -260,7 +260,10 @@ + os.path.abspath(self.storage_path))) + + def _get_file_path(self): +- return os.path.join(self.storage_path, self.SESSION_PREFIX + self.id) ++ f = os.path.join(self.storage_path, self.SESSION_PREFIX + self.id) ++ if not os.path.normpath(f).startswith(self.storage_path): ++ raise cherrypy.HTTPError(400, "Invalid session id in cookie.") ++ return f + + def _load(self, path=None): + if path is None: