main/awstats: security fix (CVE-2017-1000501)

Fixes #8371

3 files changed, 149 insertions, 6 deletions

diff --git a/main/awstats/APKBUILD b/main/awstats/APKBUILD
index 2a41a20684..168d9dcbd3 100644
--- a/main/awstats/APKBUILD
+++ b/main/awstats/APKBUILD
@@ -2,19 +2,27 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=awstats
 pkgver=7.6
-pkgrel=1
+pkgrel=2
 pkgdesc="Free real-time logfile analyzer to get advanced statistics"
 url="http://awstats.sourceforge.net/"
 arch="noarch"
 license="GPL-3.0-or-later"
 depends="perl perl-uri"
 subpackages="$pkgname-doc"
-source="https://prdownloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz"
+options="!check" # no testsuite
+source="https://prdownloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz
+	CVE-2017-1000501-1.patch
+	CVE-2017-1000501-2.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
+# secfixes:
+#   7.6-r2
+#     - CVE-2017-1000501
+
 prepare() {
 	local file
-	cd "$builddir"
+	default_prepare
 	for file in tools/* wwwroot/cgi-bin/*; do
 		[ -f "${file}" ] || continue
 		sed -e "s:/usr/local/$pkgname/wwwroot:/usr/lib/$pkgname:g" \
@@ -54,6 +62,6 @@ package() {
 		"$pkgdir"/usr/lib/$pkgname/cgi-bin/plugins/example
 }
 
-md5sums="c69977f938be594b81fdb5e065846d31  awstats-7.6.tar.gz"
-sha256sums="4045501319bf99e223bdb492a68a8f08b8e814b0f144a008726d7bd59114167a  awstats-7.6.tar.gz"
-sha512sums="ebce29dcbdc1f0eef68f1faf6a511212daba3e3621db682dce692dffa584e0c456fb260b9f8e1b7ac25a2a7d5d2bea5034692d2395d4e56a16fa5a36844c79d5  awstats-7.6.tar.gz"
+sha512sums="ebce29dcbdc1f0eef68f1faf6a511212daba3e3621db682dce692dffa584e0c456fb260b9f8e1b7ac25a2a7d5d2bea5034692d2395d4e56a16fa5a36844c79d5  awstats-7.6.tar.gz
+0f5c3f3581c1ca2731f65180d898cf15ffd8fc21d490d54c773efdf310f87dd0dde83be4c3892474924e7c77bad5f0981d15be9ba740ecf146b1d8e6c8091544  CVE-2017-1000501-1.patch
+7230907b6184bdcc6f1c971236a91a7053d7340dad848daea82ff2bdaf78c1e1ef882c706955e93221036dca0faf9aa333a9f0231d6b20ad65df915c72900a4d  CVE-2017-1000501-2.patch"
diff --git a/main/awstats/CVE-2017-1000501-1.patch b/main/awstats/CVE-2017-1000501-1.patch
new file mode 100644
index 0000000000..36b6aaa818
--- /dev/null
+++ b/main/awstats/CVE-2017-1000501-1.patch
@@ -0,0 +1,68 @@
+From cf219843a74c951bf5986f3a7fffa3dcf99c3899 Mon Sep 17 00:00:00 2001
+From: Laurent Destailleur <eldy@destailleur.fr>
+Date: Sun, 17 Dec 2017 12:55:48 +0100
+Subject: [PATCH] FIX Security reported by cPanel Security Team (can execute
+ arbitraty code)
+
+---
+ wwwroot/cgi-bin/awstats.pl | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
+index 091d6823..fca4900f 100755
+--- a/wwwroot/cgi-bin/awstats.pl
++++ b/wwwroot/cgi-bin/awstats.pl
+@@ -1780,7 +1780,7 @@ sub Read_Config {
+ 		}else{if ($Debug){debug("Unable to open config file: $searchdir$SiteConfig", 2);}}
+ 	}
+ 	
+-		#CL - Added to open config if full path is passed to awstats 
++	#CL - Added to open config if full path is passed to awstats 
+ 	if ( !$FileConfig ) {
+ 		
+ 		my $SiteConfigBis = File::Spec->rel2abs($SiteConfig);
+@@ -2205,7 +2205,10 @@ sub Parse_Config {
+ 		}
+ 
+ 		# Plugins
+-		if ( $param =~ /^LoadPlugin/ ) { push @PluginsToLoad, $value; next; }
++		if ( $param =~ /^LoadPlugin/ ) {
++			$value =~ s/[^a-zA-Z0-9_\/\.\+:=\?\s%\-]//g;		# Sanitize plugin name and string param because it is used later in an eval.
++			push @PluginsToLoad, $value; next; 
++		}
+ 
+ 	  # Other parameter checks we need to put after MaxNbOfExtra and MinHitExtra
+ 		if ( $param =~ /^MaxNbOf(\w+)/ ) { $MaxNbOf{$1} = $value; next; }
+@@ -3251,7 +3254,7 @@ sub Read_Plugins {
+ 						}
+ 						my $ret;    # To get init return
+ 						my $initfunction =
+-						  "\$ret=Init_$pluginname('$pluginparam')";
++						  "\$ret=Init_$pluginname('$pluginparam')";		# Note that pluginname and pluginparam were sanitized when reading cong file entry 'LoadPlugin'
+ 						my $initret = eval("$initfunction");
+ 						if ( $initret && $initret eq 'xxx' ) {
+ 							$initret =
+@@ -17140,7 +17143,10 @@ sub HTMLMainExtra{
+ 	# No update but report by default when run from a browser
+ 	$UpdateStats = ( $QueryString =~ /update=1/i ? 1 : 0 );
+ 
+-	if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); }
++	if ( $QueryString =~ /config=([^&]+)/i ) { 
++		$SiteConfig = &Sanitize("$1");
++		$SiteConfig =~ s/\.\.//g; 		# Avoid directory transversal
++	}
+ 	if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
+ 	if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
+ 		$PluginMode = &Sanitize( "$1", 1 );
+@@ -17227,7 +17233,10 @@ sub HTMLMainExtra{
+ 	# Update with no report by default when run from command line
+ 	$UpdateStats = 1;
+ 
+-	if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); }
++	if ( $QueryString =~ /config=([^&]+)/i ) { 
++		$SiteConfig = &Sanitize("$1"); 
++		$SiteConfig =~ s/\.\.//g; 
++	}
+ 	if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
+ 	if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
+ 		$PluginMode = &Sanitize( "$1", 1 );
diff --git a/main/awstats/CVE-2017-1000501-2.patch b/main/awstats/CVE-2017-1000501-2.patch
new file mode 100644
index 0000000000..cbf070e02a
--- /dev/null
+++ b/main/awstats/CVE-2017-1000501-2.patch
@@ -0,0 +1,67 @@
+From 06c0ab29c1e5059d9e0279c6b64d573d619e1651 Mon Sep 17 00:00:00 2001
+From: Laurent Destailleur <eldy@destailleur.fr>
+Date: Wed, 27 Dec 2017 13:39:57 +0100
+Subject: [PATCH] Fix another vulnerability reported by cPanel Security Team
+ (can execute arbitraty code)
+
+---
+ wwwroot/cgi-bin/awstats.pl | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
+index fca4900f..4f14c6ee 100755
+--- a/wwwroot/cgi-bin/awstats.pl
++++ b/wwwroot/cgi-bin/awstats.pl
+@@ -17145,7 +17145,6 @@ sub HTMLMainExtra{
+ 
+ 	if ( $QueryString =~ /config=([^&]+)/i ) { 
+ 		$SiteConfig = &Sanitize("$1");
+-		$SiteConfig =~ s/\.\.//g; 		# Avoid directory transversal
+ 	}
+ 	if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
+ 	if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
+@@ -17191,10 +17190,13 @@ sub HTMLMainExtra{
+ 	# If migrate
+ 	if ( $QueryString =~ /(^|-|&|&amp;)migrate=([^&]+)/i ) {
+ 		$MigrateStats = &Sanitize("$2");
++
+ 		$MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
+-		$SiteConfig = $5 ? $5 : 'xxx';
++		$SiteConfig = &Sanitize($5 ? $5 : 'xxx');
+ 		$SiteConfig =~ s/^\.//;    # SiteConfig is used to find config file
+ 	}
++
++	$SiteConfig =~ s/\.\.//g; 		# Avoid directory transversal
+ }
+ else {                             # Run from command line
+ 	$DebugMessages = 1;
+@@ -17204,9 +17206,10 @@ sub HTMLMainExtra{
+ 
+ 		# If migrate
+ 		if ( $ARGV[$_] =~ /(^|-|&|&amp;)migrate=([^&]+)/i ) {
+-			$MigrateStats = "$2";
++			$MigrateStats = &Sanitize("$2");
++
+ 			$MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
+-			$SiteConfig = $5 ? $5 : 'xxx';
++			$SiteConfig = &Sanitize($5 ? $5 : 'xxx');
+ 			$SiteConfig =~ s/^\.//;    # SiteConfig is used to find config file
+ 			next;
+ 		}
+@@ -17235,7 +17238,6 @@ sub HTMLMainExtra{
+ 
+ 	if ( $QueryString =~ /config=([^&]+)/i ) { 
+ 		$SiteConfig = &Sanitize("$1"); 
+-		$SiteConfig =~ s/\.\.//g; 
+ 	}
+ 	if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
+ 	if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
+@@ -17301,6 +17303,8 @@ sub HTMLMainExtra{
+ 		$ShowDirectOrigin = 1;
+ 		$QueryString =~ s/showdirectorigin[^&]*//i;
+ 	}
++	
++	$SiteConfig =~ s/\.\.//g; 
+ }
+ if ( $QueryString =~ /(^|&|&amp;)staticlinks/i ) {
+ 	$StaticLinks = "$PROG.$SiteConfig";