Bug 951562 (CVE-2013-1939)

Summary: CVE-2013-1939 php-sabredav-Sabre_DAV: Local file exposure due improper icons / images path checking in the HTML Browser plug-in
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jmarrero
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130411,reported=20130411,source=oss-security,cvss2=5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N,fedora-all/php-sabredav-Sabre_DAV=affected,epel-6/php-sabredav-Sabre_DAV=affected
Fixed In Version: SabreDAV 1.6.9, SabreDAV 1.7.7, SabreDav 1.8.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-28 14:57:16 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 951568, 951569    
Bug Blocks:    

Description Jan Lieskovsky 2013-04-12 09:38:02 EDT
A local file exposure flaw was found in the way HTML browser plug-in of SabreDAV, a WebDAV framework for the PHP language, processed certain file system paths for icon and image files on certain platforms. A remote attacker could provide a specially-crafted icon / image file location that, when processed by an application using the SabreDav framework, would allow them to (remotely) obtain arbitary system file, accessible with the privileges of that SabreDAV application.

[1] https://groups.google.com/forum/?fromgroups=#!topic/sabredav-discuss/ehOUu7wTSGQ
[2] http://www.openwall.com/lists/oss-security/2013/04/11/3

Relevant upstream patch (seems to be the following):
[3] https://github.com/evert/SabreDAV/commit/5f6d71b2c4e2d3c6fc32c20afe7331e38877c489
Comment 1 Jan Lieskovsky 2013-04-12 09:40:05 EDT
This issue affects the versions of the php-sabredav-Sabre_DAV package, as shipped with Fedora release of 17 and 18. Please schedule an update.


This issue affects the version of the php-sabredav-Sabre_DAV package, as shipped with Fedora EPEL-6. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-04-12 09:41:08 EDT
Created php-sabredav-Sabre_DAV tracking bugs for this issue

Affects: fedora-all [bug 951568]
Affects: epel-6 [bug 951569]
Comment 3 Jan Lieskovsky 2013-04-12 09:58:07 EDT
Suggested workaround (from [1]):
As a workaround, you setup the plugin as such:

// 1.8
$plugin = new Sabre\DAV\Browser\Plugin(true, false);

// 1.6, 1.7
$plugin = new Sabre_DAV_Browser_Plugin(true, false);

To disable this feature completely.
Comment 4 Fedora Update System 2013-05-24 15:09:46 EDT
php-sabredav-Sabre_DAV-1.6.5-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Joseph Marrero 2013-08-28 14:57:16 EDT
Fixed back porting the upstream fix. Been fixed since 05/24/2013.