diff --git a/cgit-CVE-2011-2711-fix.diff b/cgit-CVE-2011-2711-fix.diff deleted file mode 100644 index c2af191..0000000 --- a/cgit-CVE-2011-2711-fix.diff +++ /dev/null @@ -1,35 +0,0 @@ -From bebe89d7c11a92bf206bf6e528c51ffa8ecbc0d5 Mon Sep 17 00:00:00 2001 -From: Lukas Fleischer -Date: Fri, 22 Jul 2011 11:47:19 +0000 -Subject: Fix potential XSS vulnerability in rename hint - -The file name displayed in the rename hint should be escaped to avoid -XSS. Note that this vulnerability is only applicable when an attacker -has gained push access to the repository. - -Signed-off-by: Lukas Fleischer -Signed-off-by: Lars Hjemli ---- ---- - ui-diff.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - ---- a/ui-diff.c -+++ b/ui-diff.c -@@ -97,10 +97,12 @@ - htmlf("", class); - cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1, - ctx.qry.sha2, info->new_path, 0); -- if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) -- htmlf(" (%s from %s)", -- info->status == DIFF_STATUS_COPIED ? "copied" : "renamed", -- info->old_path); -+ if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) { -+ htmlf(" (%s from ", -+ info->status == DIFF_STATUS_COPIED ? "copied" : "renamed"); -+ html_txt(info->old_path); -+ html(")"); -+ } - html(""); - if (info->binary) { - htmlf("bin%ld -> %ld bytes", diff --git a/cgit-optflags.diff b/cgit-optflags.diff deleted file mode 100644 index 17bc793..0000000 --- a/cgit-optflags.diff +++ /dev/null @@ -1,14 +0,0 @@ ---- - Makefile | 1 + - 1 file changed, 1 insertion(+) - ---- a/Makefile -+++ b/Makefile -@@ -134,6 +134,7 @@ - - - CFLAGS += -g -Wall -Igit -+CFLAGS += $(RPM_OPT_FLAGS) - CFLAGS += -DSHA1_HEADER='$(SHA1_HEADER)' - CFLAGS += -DCGIT_VERSION='"$(CGIT_VERSION)"' - CFLAGS += -DCGIT_CONFIG='"$(CGIT_CONFIG)"' diff --git a/cgit.changes b/cgit.changes deleted file mode 100644 index e79ba00..0000000 --- a/cgit.changes +++ /dev/null @@ -1,120 +0,0 @@ -------------------------------------------------------------------- -Fri Oct 14 10:13:03 CEST 2011 - tiwai@suse.de - -- split from OBS git repo to an individual repo (since cgit-0.9 - doesn't build with git-1.7.7) -- merged fixes in git repo back to cgit repo -- updated to git 1.7.6.4 - -------------------------------------------------------------------- -Wed Aug 3 21:35:48 UTC 2011 - asn@cryptomilk.org - -- updated to cgit 0.9.0.2 -- fixed potential XSS vulnerability in rename hint -- fixed a segfault with git 1.7.6 - -------------------------------------------------------------------- -Mon Jun 27 18:22:11 CEST 2011 - tiwai@suse.de - -- updated to git 1.7.6: see git changelog for more details - -------------------------------------------------------------------- -Mon Jun 6 16:03:34 CEST 2011 - tiwai@suse.de - -- updated to git 1.7.5.4: see git changelog for more details - -------------------------------------------------------------------- -Mon Jun 6 12:24:02 CEST 2011 - tiwai@suse.de - -- Fix incompatibilies with git 1.7.5.x to build cgit again - -------------------------------------------------------------------- -Wed Jun 1 12:41:12 UTC 2011 - mmarek@novell.com - -- Do not buildrequire git, the package builds it's own git and the - buildrequires line only makes backporting harder. - -------------------------------------------------------------------- -Fri May 27 11:54:43 CEST 2011 - tiwai@suse.de - -- updated git 1.7.5.3: - See git changelog for more details - -------------------------------------------------------------------- -Mon Mar 28 18:26:17 CEST 2011 - tiwai@suse.de - -- updated to git 1.7.4.2: - documentation updates, small bug fixes; - see included Documentation/RelNotes/1.7.4.2.txt -- updated to cgit 0.9: - major updates; using git-1.7.4.x - -------------------------------------------------------------------- -Fri Dec 17 17:51:32 CET 2010 - tiwai@suse.de - -- updated to git 1.7.3.3: - In addition to the usual fixes, this release also includes - support for the new "add.ignoreErrors" name given to the - existing "add.ignore-errors" configuration variable. -- updated to git 1.7.3.4: - Among many fixes since v1.7.3.3, it contains a fix to a recently - discovered XSS vulnerability in Gitweb (CVE 2010-3906) - -------------------------------------------------------------------- -Thu Sep 30 08:21:27 CEST 2010 - tiwai@suse.de - -- updated to git 1.7.3: - major version update; new options and behavior for git-rebase, - git-clean, git-checkout, git-gui. - See release note: - http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.3.txt -- updated to git 1.7.3.1: - fix git-stash breakages -- Set NO_CROSS_DIRECTORY_HARDLINKS=1 to satisfy BS - -------------------------------------------------------------------- -Fri Aug 20 17:41:32 CEST 2010 - anschneider@exsuse.de - -- fixed more segfaults in cgit. - -------------------------------------------------------------------- -Fri Aug 20 16:29:03 CEST 2010 - anschneider@exsuse.de - -- fix cgit segfault when using git > 1.7 -- update to version 0.8.3.3 -- get debuginfo working, don't strip binaries. - -------------------------------------------------------------------- -Fri Aug 20 10:02:44 CEST 2010 - tiwai@suse.de - -- updated to git 1.7.2.2 - -------------------------------------------------------------------- -Thu Jul 29 13:52:36 CEST 2010 - tiwai@suse.de - -- fix missing link with libpthread - -------------------------------------------------------------------- -Thu Jul 29 13:43:28 CEST 2010 - tiwai@suse.de - -- updated to git 1.7.2.1: minor fixes for git-instaweb, git-web, - git-config. See release note: - http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.2.1.txt - -------------------------------------------------------------------- -Thu Jul 22 12:19:02 CEST 2010 - tiwai@suse.de - -- updated to git 1.7.2: mostly bug fixes and small enhancements; - see the release note: - http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.2.txt -- gitweb stuff is moved to /usr/share/gitweb - -------------------------------------------------------------------- -Sun Apr 25 18:29:34 UTC 2010 - poletti.marco@gmail.com - -- Build against version 1.7.0.3 of git instead of 1.6.4.3. - -------------------------------------------------------------------- -Fri Feb 5 16:37:58 UTC 2010 - poletti.marco@gmail.com - -- Initial release, version 0.8.3.1 diff --git a/cgit.spec b/cgit.spec deleted file mode 100644 index 0074c9a..0000000 --- a/cgit.spec +++ /dev/null @@ -1,87 +0,0 @@ -# -# spec file for package cgit -# -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. -# -# All modifications and additions to the file contributed by third parties -# remain the property of their copyright owners, unless otherwise agreed -# upon. The license for this file, and modifications and additions to the -# file, is the same license as for the pristine package itself (unless the -# license for the pristine package is not an Open Source License, in which -# case the license is the MIT License). An "Open Source License" is a -# license that conforms to the Open Source Definition (Version 1.9) -# published by the Open Source Initiative. - -# Please submit bugfixes or comments via http://bugs.opensuse.org/ -# - -# norootforbuild - -%define git_version 1.7.6.4 - -Name: cgit -Url: http://hjemli.net/git/cgit/ -License: GPLv2 -Group: Development/Libraries/C and C++ -AutoReqProv: on -Version: 0.9.0.2 -Release: 7 -Summary: A web frontend for git repositories -Source0: %{name}-%{version}.tar.bz2 -Source1: git-%{git_version}.tar.gz -Source2: cgitrc -Patch: cgit-optflags.diff -Patch1: cgit-git-1.7.6_build_fix.patch -Patch2: cgit-CVE-2011-2711-fix.diff -# Requirements for cgit -BuildRequires: gnu-crypto libopenssl-devel libzip-devel -# Requirements for cgitrc man page generation -BuildRequires: asciidoc libxslt -BuildRoot: %{_tmppath}/%{name}-%{version}-build - -%description -This is an attempt to create a fast web interface for the git scm, using a -builtin cache to decrease server io-pressure. - -Authors: --------- - Lars Hjemli (hjemli@gmail.com) - -%prep -%setup -q -%setup -q -T -D -a 1 -%patch -p1 -%patch1 -p1 -%patch2 -p1 -rm -rf git -mv git-%{git_version} git - -%build -make V=1 - -%install -make install DESTDIR="%{buildroot}" CGIT_SCRIPT_PATH=/srv/www/htdocs/cgit -make install-man DESTDIR="%{buildroot}" - -mkdir -p "%{buildroot}"/srv/www/cgi-bin/cgit/ -mv "%{buildroot}"/srv/www/{htdocs,cgi-bin}/cgit/cgit.cgi - -mkdir -p "%{buildroot}"/etc -cp %{SOURCE2} "%{buildroot}"/etc/cgitrc - -%clean -rm -rf %{buildroot} - -%files -%defattr(-,root,root) -%doc README COPYING -%doc %{_mandir}/man5/cgitrc.5.gz -%dir /srv/www/htdocs/cgit -%dir /srv/www/cgi-bin/cgit -/srv/www/cgi-bin/cgit/cgit.cgi -/srv/www/htdocs/cgit/cgit.css -/srv/www/htdocs/cgit/cgit.png -/usr/lib/cgit -%config(noreplace) /etc/cgitrc - -%changelog diff --git a/cgitrc b/cgitrc deleted file mode 100644 index 303a60f..0000000 --- a/cgitrc +++ /dev/null @@ -1,63 +0,0 @@ -# Enable caching of up to 1000 output entriess -cache-size=1000 - -# Specify some default clone prefixes -clone-prefix=ssh://domain.com/var/git - -# Specify the css url -css=/git/cgit.css - -# Specify the logo url -logo=/git/cgit.png - -# Show extra links for each repository on the index page -enable-index-links=1 - -# Show number of affected files per commit on the log pages -enable-log-filecount=1 - -# Show number of added/removed lines per commit on the log pages -enable-log-linecount=1 - -# Set the title and heading of the repository index page -root-title=git repositories - -# Allow download of tar.gz, tar.bz2 and zip-files -snapshots=tar.gz tar.bz2 zip - - -## -## List of common mimetypes -## - -mimetype.git=image/git -mimetype.html=text/html -mimetype.jpg=image/jpeg -mimetype.jpeg=image/jpeg -mimetype.pdf=application/pdf -mimetype.png=image/png -mimetype.svg=image/svg+xml - - -## -## List of repositories. -## PS: Any repositories listed when section is unset will not be -## displayed under a section heading -## PPS: This list could be kept in a different file (e.g. '/etc/cgitrepos') -## and included like this: -## include=/etc/cgitrepos -## - -# Add your repositories here. -# -# Examples: -# -# repo.url=main -# repo.path=/var/git/main.git -# repo.desc=Main repository -# repo.owner=your.email@domain.com -# -# repo.url=secondary -# repo.path=/var/git/ut.git -# repo.desc=Secondary repository -# repo.owner=another.email@domain.com diff --git a/project.diff b/project.diff new file mode 100644 index 0000000..0cd95a3 --- /dev/null +++ b/project.diff @@ -0,0 +1,68 @@ +--- cgit.changes.orig ++++ cgit.changes +@@ -1,28 +1,17 @@ + ------------------------------------------------------------------- +-Tue Oct 4 20:27:08 CEST 2011 - tiwai@suse.de ++Fri Oct 14 10:13:03 CEST 2011 - tiwai@suse.de + +-- updated to git 1.7.7; see git changelog for more details ++- split from OBS git repo to an individual repo (since cgit-0.9 ++ doesn't build with git-1.7.7) ++- merged fixes in git repo back to cgit repo ++- updated to git 1.7.6.4 + + ------------------------------------------------------------------- +-Mon Sep 26 12:57:01 CEST 2011 - tiwai@suse.de ++Wed Aug 3 21:35:48 UTC 2011 - asn@cryptomilk.org + +-- updated to git 1.7.6.4; see git changelog for more details +- +-------------------------------------------------------------------- +-Wed Sep 21 08:43:35 CEST 2011 - tiwai@suse.de +- +-- updated to 1.7.6.2, 1.7.6.3: see git changelog for more details +- +-------------------------------------------------------------------- +-Thu Aug 25 12:23:22 CEST 2011 - tiwai@suse.de +- +-- update to git 1.7.6.1: see git changelog for more details +- +-------------------------------------------------------------------- +-Fri Aug 5 15:13:43 CEST 2011 - tiwai@suse.de +- +-- Fix VUL-0: cgit: XSS flaw in rename hint (CVE-2011-2711, +- bnc#707929) ++- updated to cgit 0.9.0.2 ++- fixed potential XSS vulnerability in rename hint ++- fixed a segfault with git 1.7.6 + + ------------------------------------------------------------------- + Mon Jun 27 18:22:11 CEST 2011 - tiwai@suse.de +--- cgit.spec.orig ++++ cgit.spec +@@ -17,21 +17,21 @@ + + # norootforbuild + +-%define git_version 1.7.7 ++%define git_version 1.7.6.4 + + Name: cgit + Url: http://hjemli.net/git/cgit/ + License: GPLv2 + Group: Development/Libraries/C and C++ + AutoReqProv: on +-Version: 0.9 +-Release: 9 ++Version: 0.9.0.2 ++Release: 7 + Summary: A web frontend for git repositories + Source0: %{name}-%{version}.tar.bz2 + Source1: git-%{git_version}.tar.gz + Source2: cgitrc + Patch: cgit-optflags.diff +-Patch1: cgit-git-1.7.5.x-build-fix.diff ++Patch1: cgit-git-1.7.6_build_fix.patch + Patch2: cgit-CVE-2011-2711-fix.diff + # Requirements for cgit + BuildRequires: gnu-crypto libopenssl-devel libzip-devel