From bd71d7a4312bb20790845d603b001b7c16f389a120aa9d9800dbddb7594cfc77 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 18 Oct 2011 11:42:50 +0000 Subject: [PATCH] revert last commit OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cgit?expand=0&rev=5 --- cgit-CVE-2011-2711-fix.diff | 35 +++++++++++ cgit-optflags.diff | 14 +++++ cgit.changes | 120 ++++++++++++++++++++++++++++++++++++ cgit.spec | 87 ++++++++++++++++++++++++++ cgitrc | 63 +++++++++++++++++++ project.diff | 68 -------------------- 6 files changed, 319 insertions(+), 68 deletions(-) create mode 100644 cgit-CVE-2011-2711-fix.diff create mode 100644 cgit-optflags.diff create mode 100644 cgit.changes create mode 100644 cgit.spec create mode 100644 cgitrc delete mode 100644 project.diff diff --git a/cgit-CVE-2011-2711-fix.diff b/cgit-CVE-2011-2711-fix.diff new file mode 100644 index 0000000..c2af191 --- /dev/null +++ b/cgit-CVE-2011-2711-fix.diff @@ -0,0 +1,35 @@ +From bebe89d7c11a92bf206bf6e528c51ffa8ecbc0d5 Mon Sep 17 00:00:00 2001 +From: Lukas Fleischer +Date: Fri, 22 Jul 2011 11:47:19 +0000 +Subject: Fix potential XSS vulnerability in rename hint + +The file name displayed in the rename hint should be escaped to avoid +XSS. Note that this vulnerability is only applicable when an attacker +has gained push access to the repository. + +Signed-off-by: Lukas Fleischer +Signed-off-by: Lars Hjemli +--- +--- + ui-diff.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/ui-diff.c ++++ b/ui-diff.c +@@ -97,10 +97,12 @@ + htmlf("", class); + cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1, + ctx.qry.sha2, info->new_path, 0); +- if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) +- htmlf(" (%s from %s)", +- info->status == DIFF_STATUS_COPIED ? "copied" : "renamed", +- info->old_path); ++ if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) { ++ htmlf(" (%s from ", ++ info->status == DIFF_STATUS_COPIED ? "copied" : "renamed"); ++ html_txt(info->old_path); ++ html(")"); ++ } + html(""); + if (info->binary) { + htmlf("bin%ld -> %ld bytes", diff --git a/cgit-optflags.diff b/cgit-optflags.diff new file mode 100644 index 0000000..17bc793 --- /dev/null +++ b/cgit-optflags.diff @@ -0,0 +1,14 @@ +--- + Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/Makefile ++++ b/Makefile +@@ -134,6 +134,7 @@ + + + CFLAGS += -g -Wall -Igit ++CFLAGS += $(RPM_OPT_FLAGS) + CFLAGS += -DSHA1_HEADER='$(SHA1_HEADER)' + CFLAGS += -DCGIT_VERSION='"$(CGIT_VERSION)"' + CFLAGS += -DCGIT_CONFIG='"$(CGIT_CONFIG)"' diff --git a/cgit.changes b/cgit.changes new file mode 100644 index 0000000..e79ba00 --- /dev/null +++ b/cgit.changes @@ -0,0 +1,120 @@ +------------------------------------------------------------------- +Fri Oct 14 10:13:03 CEST 2011 - tiwai@suse.de + +- split from OBS git repo to an individual repo (since cgit-0.9 + doesn't build with git-1.7.7) +- merged fixes in git repo back to cgit repo +- updated to git 1.7.6.4 + +------------------------------------------------------------------- +Wed Aug 3 21:35:48 UTC 2011 - asn@cryptomilk.org + +- updated to cgit 0.9.0.2 +- fixed potential XSS vulnerability in rename hint +- fixed a segfault with git 1.7.6 + +------------------------------------------------------------------- +Mon Jun 27 18:22:11 CEST 2011 - tiwai@suse.de + +- updated to git 1.7.6: see git changelog for more details + +------------------------------------------------------------------- +Mon Jun 6 16:03:34 CEST 2011 - tiwai@suse.de + +- updated to git 1.7.5.4: see git changelog for more details + +------------------------------------------------------------------- +Mon Jun 6 12:24:02 CEST 2011 - tiwai@suse.de + +- Fix incompatibilies with git 1.7.5.x to build cgit again + +------------------------------------------------------------------- +Wed Jun 1 12:41:12 UTC 2011 - mmarek@novell.com + +- Do not buildrequire git, the package builds it's own git and the + buildrequires line only makes backporting harder. + +------------------------------------------------------------------- +Fri May 27 11:54:43 CEST 2011 - tiwai@suse.de + +- updated git 1.7.5.3: + See git changelog for more details + +------------------------------------------------------------------- +Mon Mar 28 18:26:17 CEST 2011 - tiwai@suse.de + +- updated to git 1.7.4.2: + documentation updates, small bug fixes; + see included Documentation/RelNotes/1.7.4.2.txt +- updated to cgit 0.9: + major updates; using git-1.7.4.x + +------------------------------------------------------------------- +Fri Dec 17 17:51:32 CET 2010 - tiwai@suse.de + +- updated to git 1.7.3.3: + In addition to the usual fixes, this release also includes + support for the new "add.ignoreErrors" name given to the + existing "add.ignore-errors" configuration variable. +- updated to git 1.7.3.4: + Among many fixes since v1.7.3.3, it contains a fix to a recently + discovered XSS vulnerability in Gitweb (CVE 2010-3906) + +------------------------------------------------------------------- +Thu Sep 30 08:21:27 CEST 2010 - tiwai@suse.de + +- updated to git 1.7.3: + major version update; new options and behavior for git-rebase, + git-clean, git-checkout, git-gui. + See release note: + http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.3.txt +- updated to git 1.7.3.1: + fix git-stash breakages +- Set NO_CROSS_DIRECTORY_HARDLINKS=1 to satisfy BS + +------------------------------------------------------------------- +Fri Aug 20 17:41:32 CEST 2010 - anschneider@exsuse.de + +- fixed more segfaults in cgit. + +------------------------------------------------------------------- +Fri Aug 20 16:29:03 CEST 2010 - anschneider@exsuse.de + +- fix cgit segfault when using git > 1.7 +- update to version 0.8.3.3 +- get debuginfo working, don't strip binaries. + +------------------------------------------------------------------- +Fri Aug 20 10:02:44 CEST 2010 - tiwai@suse.de + +- updated to git 1.7.2.2 + +------------------------------------------------------------------- +Thu Jul 29 13:52:36 CEST 2010 - tiwai@suse.de + +- fix missing link with libpthread + +------------------------------------------------------------------- +Thu Jul 29 13:43:28 CEST 2010 - tiwai@suse.de + +- updated to git 1.7.2.1: minor fixes for git-instaweb, git-web, + git-config. See release note: + http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.2.1.txt + +------------------------------------------------------------------- +Thu Jul 22 12:19:02 CEST 2010 - tiwai@suse.de + +- updated to git 1.7.2: mostly bug fixes and small enhancements; + see the release note: + http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.2.txt +- gitweb stuff is moved to /usr/share/gitweb + +------------------------------------------------------------------- +Sun Apr 25 18:29:34 UTC 2010 - poletti.marco@gmail.com + +- Build against version 1.7.0.3 of git instead of 1.6.4.3. + +------------------------------------------------------------------- +Fri Feb 5 16:37:58 UTC 2010 - poletti.marco@gmail.com + +- Initial release, version 0.8.3.1 diff --git a/cgit.spec b/cgit.spec new file mode 100644 index 0000000..0074c9a --- /dev/null +++ b/cgit.spec @@ -0,0 +1,87 @@ +# +# spec file for package cgit +# +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +# norootforbuild + +%define git_version 1.7.6.4 + +Name: cgit +Url: http://hjemli.net/git/cgit/ +License: GPLv2 +Group: Development/Libraries/C and C++ +AutoReqProv: on +Version: 0.9.0.2 +Release: 7 +Summary: A web frontend for git repositories +Source0: %{name}-%{version}.tar.bz2 +Source1: git-%{git_version}.tar.gz +Source2: cgitrc +Patch: cgit-optflags.diff +Patch1: cgit-git-1.7.6_build_fix.patch +Patch2: cgit-CVE-2011-2711-fix.diff +# Requirements for cgit +BuildRequires: gnu-crypto libopenssl-devel libzip-devel +# Requirements for cgitrc man page generation +BuildRequires: asciidoc libxslt +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +This is an attempt to create a fast web interface for the git scm, using a +builtin cache to decrease server io-pressure. + +Authors: +-------- + Lars Hjemli (hjemli@gmail.com) + +%prep +%setup -q +%setup -q -T -D -a 1 +%patch -p1 +%patch1 -p1 +%patch2 -p1 +rm -rf git +mv git-%{git_version} git + +%build +make V=1 + +%install +make install DESTDIR="%{buildroot}" CGIT_SCRIPT_PATH=/srv/www/htdocs/cgit +make install-man DESTDIR="%{buildroot}" + +mkdir -p "%{buildroot}"/srv/www/cgi-bin/cgit/ +mv "%{buildroot}"/srv/www/{htdocs,cgi-bin}/cgit/cgit.cgi + +mkdir -p "%{buildroot}"/etc +cp %{SOURCE2} "%{buildroot}"/etc/cgitrc + +%clean +rm -rf %{buildroot} + +%files +%defattr(-,root,root) +%doc README COPYING +%doc %{_mandir}/man5/cgitrc.5.gz +%dir /srv/www/htdocs/cgit +%dir /srv/www/cgi-bin/cgit +/srv/www/cgi-bin/cgit/cgit.cgi +/srv/www/htdocs/cgit/cgit.css +/srv/www/htdocs/cgit/cgit.png +/usr/lib/cgit +%config(noreplace) /etc/cgitrc + +%changelog diff --git a/cgitrc b/cgitrc new file mode 100644 index 0000000..303a60f --- /dev/null +++ b/cgitrc @@ -0,0 +1,63 @@ +# Enable caching of up to 1000 output entriess +cache-size=1000 + +# Specify some default clone prefixes +clone-prefix=ssh://domain.com/var/git + +# Specify the css url +css=/git/cgit.css + +# Specify the logo url +logo=/git/cgit.png + +# Show extra links for each repository on the index page +enable-index-links=1 + +# Show number of affected files per commit on the log pages +enable-log-filecount=1 + +# Show number of added/removed lines per commit on the log pages +enable-log-linecount=1 + +# Set the title and heading of the repository index page +root-title=git repositories + +# Allow download of tar.gz, tar.bz2 and zip-files +snapshots=tar.gz tar.bz2 zip + + +## +## List of common mimetypes +## + +mimetype.git=image/git +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml + + +## +## List of repositories. +## PS: Any repositories listed when section is unset will not be +## displayed under a section heading +## PPS: This list could be kept in a different file (e.g. '/etc/cgitrepos') +## and included like this: +## include=/etc/cgitrepos +## + +# Add your repositories here. +# +# Examples: +# +# repo.url=main +# repo.path=/var/git/main.git +# repo.desc=Main repository +# repo.owner=your.email@domain.com +# +# repo.url=secondary +# repo.path=/var/git/ut.git +# repo.desc=Secondary repository +# repo.owner=another.email@domain.com diff --git a/project.diff b/project.diff deleted file mode 100644 index 0cd95a3..0000000 --- a/project.diff +++ /dev/null @@ -1,68 +0,0 @@ ---- cgit.changes.orig -+++ cgit.changes -@@ -1,28 +1,17 @@ - ------------------------------------------------------------------- --Tue Oct 4 20:27:08 CEST 2011 - tiwai@suse.de -+Fri Oct 14 10:13:03 CEST 2011 - tiwai@suse.de - --- updated to git 1.7.7; see git changelog for more details -+- split from OBS git repo to an individual repo (since cgit-0.9 -+ doesn't build with git-1.7.7) -+- merged fixes in git repo back to cgit repo -+- updated to git 1.7.6.4 - - ------------------------------------------------------------------- --Mon Sep 26 12:57:01 CEST 2011 - tiwai@suse.de -+Wed Aug 3 21:35:48 UTC 2011 - asn@cryptomilk.org - --- updated to git 1.7.6.4; see git changelog for more details -- --------------------------------------------------------------------- --Wed Sep 21 08:43:35 CEST 2011 - tiwai@suse.de -- --- updated to 1.7.6.2, 1.7.6.3: see git changelog for more details -- --------------------------------------------------------------------- --Thu Aug 25 12:23:22 CEST 2011 - tiwai@suse.de -- --- update to git 1.7.6.1: see git changelog for more details -- --------------------------------------------------------------------- --Fri Aug 5 15:13:43 CEST 2011 - tiwai@suse.de -- --- Fix VUL-0: cgit: XSS flaw in rename hint (CVE-2011-2711, -- bnc#707929) -+- updated to cgit 0.9.0.2 -+- fixed potential XSS vulnerability in rename hint -+- fixed a segfault with git 1.7.6 - - ------------------------------------------------------------------- - Mon Jun 27 18:22:11 CEST 2011 - tiwai@suse.de ---- cgit.spec.orig -+++ cgit.spec -@@ -17,21 +17,21 @@ - - # norootforbuild - --%define git_version 1.7.7 -+%define git_version 1.7.6.4 - - Name: cgit - Url: http://hjemli.net/git/cgit/ - License: GPLv2 - Group: Development/Libraries/C and C++ - AutoReqProv: on --Version: 0.9 --Release: 9 -+Version: 0.9.0.2 -+Release: 7 - Summary: A web frontend for git repositories - Source0: %{name}-%{version}.tar.bz2 - Source1: git-%{git_version}.tar.gz - Source2: cgitrc - Patch: cgit-optflags.diff --Patch1: cgit-git-1.7.5.x-build-fix.diff -+Patch1: cgit-git-1.7.6_build_fix.patch - Patch2: cgit-CVE-2011-2711-fix.diff - # Requirements for cgit - BuildRequires: gnu-crypto libopenssl-devel libzip-devel