From 792cf81fdde3205403edb46461b8ed1e97557f64b4ae49aa1f935a0a8ee3ab09 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 20 Nov 2012 11:18:29 +0000 Subject: [PATCH 1/3] Accepting request 142049 from home:tiwai:branches:devel:tools:scm - updated to cgit-0.9.1: Enhancements: - path-selected submodule links - intelligent default branch guessing - /etc/mime.types lookup - gitweb.* and cgit.* git-config support - case insensitive sorting and age sorting - commit, repository, and section sorting - bold currently viewed page in pagination - support BSDs in makefile Security: - CVE-2012-4465: heap-buffer overflow in parsing.c - CVE-2012-4548: syntax highlighting command injection Bug Fixes: - transition maintainer to Jason Donenfeld (zx2c4) - download git snapshot from github instead of Lars' old server - css fixes - stablization of tests - more compatible default highlight script - suppress gzip timestamp so that tarballs only use tar timestamps - treat ctags as target in makefile - do not let global variables override certain local repo settings - print ampersand as proper html entity - use placeholder for empty commit subject - format diff view for addition and removal of files - point links at correct blob from ssdiff OBS-URL: https://build.opensuse.org/request/show/142049 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/cgit?expand=0&rev=15 --- cgit-0.9.0.2.tar.bz2 | 3 - cgit-0.9.1.tar.xz | 3 + cgit-CVE-2011-2711-fix.diff | 35 -------- cgit-CVE-2012-4465-fix.diff | 171 ------------------------------------ cgit-CVE-2012-4548-fix.diff | 24 ----- cgit.changes | 30 +++++++ cgit.spec | 12 +-- 7 files changed, 36 insertions(+), 242 deletions(-) delete mode 100644 cgit-0.9.0.2.tar.bz2 create mode 100644 cgit-0.9.1.tar.xz delete mode 100644 cgit-CVE-2011-2711-fix.diff delete mode 100644 cgit-CVE-2012-4465-fix.diff delete mode 100644 cgit-CVE-2012-4548-fix.diff diff --git a/cgit-0.9.0.2.tar.bz2 b/cgit-0.9.0.2.tar.bz2 deleted file mode 100644 index c0377ce..0000000 --- a/cgit-0.9.0.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:97e0f78f5d4aabe59e3795849c6e1a72900cd558a94d88cb236fee12d72b528c -size 64203 diff --git a/cgit-0.9.1.tar.xz b/cgit-0.9.1.tar.xz new file mode 100644 index 0000000..3a2150b --- /dev/null +++ b/cgit-0.9.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e2d7de92cfcd5d61a7dacee2f603784843903081675f3c74e4845df9185930a0 +size 66472 diff --git a/cgit-CVE-2011-2711-fix.diff b/cgit-CVE-2011-2711-fix.diff deleted file mode 100644 index c2af191..0000000 --- a/cgit-CVE-2011-2711-fix.diff +++ /dev/null @@ -1,35 +0,0 @@ -From bebe89d7c11a92bf206bf6e528c51ffa8ecbc0d5 Mon Sep 17 00:00:00 2001 -From: Lukas Fleischer -Date: Fri, 22 Jul 2011 11:47:19 +0000 -Subject: Fix potential XSS vulnerability in rename hint - -The file name displayed in the rename hint should be escaped to avoid -XSS. Note that this vulnerability is only applicable when an attacker -has gained push access to the repository. - -Signed-off-by: Lukas Fleischer -Signed-off-by: Lars Hjemli ---- ---- - ui-diff.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - ---- a/ui-diff.c -+++ b/ui-diff.c -@@ -97,10 +97,12 @@ - htmlf("", class); - cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1, - ctx.qry.sha2, info->new_path, 0); -- if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) -- htmlf(" (%s from %s)", -- info->status == DIFF_STATUS_COPIED ? "copied" : "renamed", -- info->old_path); -+ if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) { -+ htmlf(" (%s from ", -+ info->status == DIFF_STATUS_COPIED ? "copied" : "renamed"); -+ html_txt(info->old_path); -+ html(")"); -+ } - html(""); - if (info->binary) { - htmlf("bin%ld -> %ld bytes", diff --git a/cgit-CVE-2012-4465-fix.diff b/cgit-CVE-2012-4465-fix.diff deleted file mode 100644 index 035efdb..0000000 --- a/cgit-CVE-2012-4465-fix.diff +++ /dev/null @@ -1,171 +0,0 @@ -From 7757d1b046ecb67b830151d20715c658867df1ec Mon Sep 17 00:00:00 2001 -From: Jim Meyering -Date: Mon, 23 Apr 2012 20:06:35 +0000 -Subject: do not write outside heap buffer - -* parsing.c (substr): Handle tail < head. - -This started when I noticed some cgit segfaults on savannah.gnu.org. -Finding the offending URL/commit and then constructing a stand-alone -reproducer were far more time-consuming than writing the actual patch. - -The problem arises with a commit like this, in which the user name -part of the "Author" field is empty: - - $ git log -1 - commit 6f3f41d73393278f3ede68a2cb1e7a2a23fa3421 - Author: - Date: Mon Apr 23 22:29:16 2012 +0200 - -Here's what happens: - -(this is due to buf=malloc(0); strncpy (buf, head, -1); - where "head" may point to plenty of attacker-specified non-NUL bytes, - so we can overwrite a zero-length heap buffer with arbitrary data) - - Invalid write of size 1 - at 0x4A09361: strncpy (mc_replace_strmem.c:463) - by 0x408977: substr (parsing.c:61) - by 0x4089EF: parse_user (parsing.c:73) - by 0x408D10: cgit_parse_commit (parsing.c:153) - by 0x40A540: cgit_mk_refinfo (shared.c:171) - by 0x40A581: cgit_refs_cb (shared.c:181) - by 0x43DEB3: do_for_each_ref (refs.c:690) - by 0x41075E: cgit_print_branches (ui-refs.c:191) - by 0x416EF2: cgit_print_summary (ui-summary.c:56) - by 0x40780A: summary_fn (cmd.c:120) - by 0x40667A: process_request (cgit.c:544) - by 0x404078: cache_process (cache.c:322) - Address 0x4c718d0 is 0 bytes after a block of size 0 alloc'd - at 0x4A0884D: malloc (vg_replace_malloc.c:263) - by 0x455C85: xmalloc (wrapper.c:35) - by 0x40894C: substr (parsing.c:60) - by 0x4089EF: parse_user (parsing.c:73) - by 0x408D10: cgit_parse_commit (parsing.c:153) - by 0x40A540: cgit_mk_refinfo (shared.c:171) - by 0x40A581: cgit_refs_cb (shared.c:181) - by 0x43DEB3: do_for_each_ref (refs.c:690) - by 0x41075E: cgit_print_branches (ui-refs.c:191) - by 0x416EF2: cgit_print_summary (ui-summary.c:56) - by 0x40780A: summary_fn (cmd.c:120) - by 0x40667A: process_request (cgit.c:544) - - Invalid write of size 1 - at 0x4A09400: strncpy (mc_replace_strmem.c:463) - by 0x408977: substr (parsing.c:61) - by 0x4089EF: parse_user (parsing.c:73) - by 0x408D10: cgit_parse_commit (parsing.c:153) - by 0x40A540: cgit_mk_refinfo (shared.c:171) - by 0x40A581: cgit_refs_cb (shared.c:181) - by 0x43DEB3: do_for_each_ref (refs.c:690) - by 0x41075E: cgit_print_branches (ui-refs.c:191) - by 0x416EF2: cgit_print_summary (ui-summary.c:56) - by 0x40780A: summary_fn (cmd.c:120) - by 0x40667A: process_request (cgit.c:544) - by 0x404078: cache_process (cache.c:322) - Address 0x4c7192b is not stack'd, malloc'd or (recently) free'd - - Invalid write of size 1 - at 0x4A0940E: strncpy (mc_replace_strmem.c:463) - by 0x408977: substr (parsing.c:61) - by 0x4089EF: parse_user (parsing.c:73) - by 0x408D10: cgit_parse_commit (parsing.c:153) - by 0x40A540: cgit_mk_refinfo (shared.c:171) - by 0x40A581: cgit_refs_cb (shared.c:181) - by 0x43DEB3: do_for_each_ref (refs.c:690) - by 0x41075E: cgit_print_branches (ui-refs.c:191) - by 0x416EF2: cgit_print_summary (ui-summary.c:56) - by 0x40780A: summary_fn (cmd.c:120) - by 0x40667A: process_request (cgit.c:544) - by 0x404078: cache_process (cache.c:322) - Address 0x4c7192d is not stack'd, malloc'd or (recently) free'd - - Process terminating with default action of signal 11 (SIGSEGV) - Access not within mapped region at address 0x502F000 - at 0x4A09400: strncpy (mc_replace_strmem.c:463) - by 0x408977: substr (parsing.c:61) - by 0x4089EF: parse_user (parsing.c:73) - by 0x408D10: cgit_parse_commit (parsing.c:153) - by 0x40A540: cgit_mk_refinfo (shared.c:171) - by 0x40A581: cgit_refs_cb (shared.c:181) - by 0x43DEB3: do_for_each_ref (refs.c:690) - by 0x41075E: cgit_print_branches (ui-refs.c:191) - by 0x416EF2: cgit_print_summary (ui-summary.c:56) - by 0x40780A: summary_fn (cmd.c:120) - by 0x40667A: process_request (cgit.c:544) - by 0x404078: cache_process (cache.c:322) - -This happens when tail - head == -1 here: -(parsing.c) - - char *substr(const char *head, const char *tail) - { - char *buf; - - buf = xmalloc(tail - head + 1); - strncpy(buf, head, tail - head); - buf[tail - head] = '\0'; - return buf; - } - - char *parse_user(char *t, char **name, char **email, unsigned long *date) - { - char *p = t; - int mode = 1; - - while (p && *p) { - if (mode == 1 && *p == '<') { - *name = substr(t, p - 1); - t = p; - mode++; - } else if (mode == 1 && *p == '\n') { - -The fix is to handle the case of (tail < head) before calling xmalloc, -thus avoiding passing an invalid value to xmalloc. - -And here's the reproducer: -It was tricky to reproduce, because git prohibits use of an empty "name" -in a commit ID. To construct the offending commit, I had to resort to -using "git hash-object". - -git init -q foo && -( cd foo && - echo a > j && git add . && git ci -q --author='au ' -m. . && - h=$(git cat-file commit HEAD|sed 's/au //' \ - |git hash-object -t commit -w --stdin) && - git co -q -b test $h && - git br -q -D master && - git br -q -m test master) -git clone -q --bare foo foo.git - -cat < in -repo.url=foo.git -repo.path=foo.git -EOF -CGIT_CONFIG=in QUERY_STRING=url=foo.git valgrind ./cgit - -The valgrind output is what you see above. - -AFAICS, this is not exploitable thanks (ironically) to the use of strncpy. -Since that -1 translates to SIZE_MAX and this is strncpy, not only does it -copy whatever is in "head" (up to first NUL), but it also writes -SIZE_MAX - strlen(head) NUL bytes into the destination buffer, and that -latter is guaranteed to evoke a segfault. Since cgit is single-threaded, -AFAICS, there is no way that the buffer clobbering can be turned into -an exploit. ---- -diff --git a/parsing.c b/parsing.c -index 602e3de..1b2a551 100644 ---- a/parsing.c -+++ b/parsing.c -@@ -56,6 +56,8 @@ char *substr(const char *head, const char *tail) - { - char *buf; - -+ if (tail < head) -+ return xstrdup(""); - buf = xmalloc(tail - head + 1); - strncpy(buf, head, tail - head); - buf[tail - head] = '\0'; --- -cgit v0.9.0.3-79-g88f8 diff --git a/cgit-CVE-2012-4548-fix.diff b/cgit-CVE-2012-4548-fix.diff deleted file mode 100644 index d4fa87c..0000000 --- a/cgit-CVE-2012-4548-fix.diff +++ /dev/null @@ -1,24 +0,0 @@ -From 7ea35f9f8ecf61ab42be9947aae1176ab6e089bd Mon Sep 17 00:00:00 2001 -From: Jason A. Donenfeld -Date: Sun, 28 Oct 2012 02:03:41 +0000 -Subject: syntax-highlighting.sh: Fix command injection. - -By not quoting the argument, an attacker with the ability to add files -to the repository could pass arbitrary arguments to the highlight -command, in particular, the --plug-in argument which can lead to -arbitrary command execution. - -This patch adds simple argument quoting. ---- ---- - filters/syntax-highlighting.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/filters/syntax-highlighting.sh -+++ b/filters/syntax-highlighting.sh -@@ -31,4 +31,4 @@ EXTENSION="${BASENAME##*.}" - # map Makefile and Makefile.* to .mk - [ "${BASENAME%%.*}" == "Makefile" ] && EXTENSION=mk - --exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null -+exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null diff --git a/cgit.changes b/cgit.changes index f33e0d9..7adc20f 100644 --- a/cgit.changes +++ b/cgit.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Tue Nov 20 12:04:15 CET 2012 - tiwai@suse.de + +- updated to cgit-0.9.1: + Enhancements: + - path-selected submodule links + - intelligent default branch guessing + - /etc/mime.types lookup + - gitweb.* and cgit.* git-config support + - case insensitive sorting and age sorting + - commit, repository, and section sorting + - bold currently viewed page in pagination + - support BSDs in makefile + Security: + - CVE-2012-4465: heap-buffer overflow in parsing.c + - CVE-2012-4548: syntax highlighting command injection + Bug Fixes: + - transition maintainer to Jason Donenfeld (zx2c4) + - download git snapshot from github instead of Lars' old server + - css fixes + - stablization of tests + - more compatible default highlight script + - suppress gzip timestamp so that tarballs only use tar timestamps + - treat ctags as target in makefile + - do not let global variables override certain local repo settings + - print ampersand as proper html entity + - use placeholder for empty commit subject + - format diff view for addition and removal of files + - point links at correct blob from ssdiff + ------------------------------------------------------------------- Mon Oct 29 11:45:50 CET 2012 - tiwai@suse.de diff --git a/cgit.spec b/cgit.spec index 4696412..26cfc5d 100644 --- a/cgit.spec +++ b/cgit.spec @@ -20,23 +20,20 @@ %define git_version 1.7.6.4 Name: cgit -Url: http://hjemli.net/git/cgit/ +Url: http://git.zx2c4.com/cgit/ License: GPL-2.0 Group: Development/Libraries/C and C++ AutoReqProv: on -Version: 0.9.0.2 +Version: 0.9.1 Release: 7 Summary: A web frontend for git repositories -Source0: %{name}-%{version}.tar.bz2 +Source0: %{name}-%{version}.tar.xz Source1: git-%{git_version}.tar.gz Source2: cgitrc Patch: cgit-optflags.diff Patch1: cgit-git-1.7.6_build_fix.patch -Patch2: cgit-CVE-2011-2711-fix.diff Patch3: cgit-fix-print-tree.diff Patch4: cgit-fix-more-read_tree_recursive-invocations.diff -Patch5: cgit-CVE-2012-4465-fix.diff -Patch6: cgit-CVE-2012-4548-fix.diff # Requirements for cgit BuildRequires: gnu-crypto libopenssl-devel libzip-devel # Requirements for cgitrc man page generation @@ -56,11 +53,8 @@ Authors: %setup -q -T -D -a 1 %patch -p1 %patch1 -p1 -%patch2 -p1 %patch3 %patch4 -%patch5 -p1 -%patch6 -p1 rm -rf git mv git-%{git_version} git From acbc6bb4c372cadc1a9bc224299ceb0fe7268c18e098fc40f57dcaf84d62d0b6 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 20 Nov 2012 14:54:07 +0000 Subject: [PATCH 2/3] Accepting request 142123 from home:vjt:ifad Hi, on OpenSUSE < 12.2, xz is needed in BuildRequire. OBS-URL: https://build.opensuse.org/request/show/142123 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/cgit?expand=0&rev=16 --- cgit.changes | 5 +++++ cgit.spec | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/cgit.changes b/cgit.changes index 7adc20f..407ad91 100644 --- a/cgit.changes +++ b/cgit.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Nov 20 13:51:05 UTC 2012 - vjt@openssl.it + +- BuildRequire xz + ------------------------------------------------------------------- Tue Nov 20 12:04:15 CET 2012 - tiwai@suse.de diff --git a/cgit.spec b/cgit.spec index 26cfc5d..e870d13 100644 --- a/cgit.spec +++ b/cgit.spec @@ -37,7 +37,7 @@ Patch4: cgit-fix-more-read_tree_recursive-invocations.diff # Requirements for cgit BuildRequires: gnu-crypto libopenssl-devel libzip-devel # Requirements for cgitrc man page generation -BuildRequires: asciidoc libxslt +BuildRequires: asciidoc libxslt xz BuildRoot: %{_tmppath}/%{name}-%{version}-build %description From 8ef605c894f7c6fbeb8c8f157e42d3924ea70a5d2ba6fdc4220c88b2255245bc Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 20 Nov 2012 14:56:29 +0000 Subject: [PATCH 3/3] fix changelog OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/cgit?expand=0&rev=17 --- cgit.changes | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cgit.changes b/cgit.changes index 407ad91..8169d60 100644 --- a/cgit.changes +++ b/cgit.changes @@ -32,6 +32,10 @@ Tue Nov 20 12:04:15 CET 2012 - tiwai@suse.de - use placeholder for empty commit subject - format diff view for addition and removal of files - point links at correct blob from ssdiff +- drop obsoleted patches + cgit-CVE-2011-2711-fix.diff + cgit-CVE-2012-4465-fix.diff + cgit-CVE-2012-4548-fix.diff ------------------------------------------------------------------- Mon Oct 29 11:45:50 CET 2012 - tiwai@suse.de