Accepting request 142138 from devel:tools:scm

- BuildRequire xz - updated to cgit-0.9.1: Enhancements: - path-selected submodule links - intelligent default branch guessing - /etc/mime.types lookup - gitweb.* and cgit.* git-config support - case insensitive sorting and age sorting - commit, repository, and section sorting - bold currently viewed page in pagination - support BSDs in makefile Security: - CVE-2012-4465: heap-buffer overflow in parsing.c - CVE-2012-4548: syntax highlighting command injection Bug Fixes: - transition maintainer to Jason Donenfeld (zx2c4) - download git snapshot from github instead of Lars' old server - css fixes - stablization of tests - more compatible default highlight script - suppress gzip timestamp so that tarballs only use tar timestamps - treat ctags as target in makefile - do not let global variables override certain local repo settings - print ampersand as proper html entity - use placeholder for empty commit subject - format diff view for addition and removal of files - point links at correct blob from ssdiff - drop obsoleted patches cgit-CVE-2011-2711-fix.diff OBS-URL: https://build.opensuse.org/request/show/142138 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cgit?expand=0&rev=14
2012-11-21 14:06:25 +00:00 · 2012-11-21 14:06:25 +00:00 · 2578d6c456
commit 2578d6c456
parent 239181a3f6 8ef605c894
7 changed files with 46 additions and 243 deletions
--- a/cgit-0.9.0.2.tar.bz2
+++ b/cgit-0.9.0.2.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:97e0f78f5d4aabe59e3795849c6e1a72900cd558a94d88cb236fee12d72b528c
 size 64203
--- a/cgit-0.9.1.tar.xz
+++ b/cgit-0.9.1.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:e2d7de92cfcd5d61a7dacee2f603784843903081675f3c74e4845df9185930a0
 size 66472
--- a/cgit-CVE-2011-2711-fix.diff
+++ b/cgit-CVE-2011-2711-fix.diff
@ -1,35 +0,0 @@
 From bebe89d7c11a92bf206bf6e528c51ffa8ecbc0d5 Mon Sep 17 00:00:00 2001
 From: Lukas Fleischer <cgit@cryptocrack.de>
 Date: Fri, 22 Jul 2011 11:47:19 +0000
 Subject: Fix potential XSS vulnerability in rename hint
 The file name displayed in the rename hint should be escaped to avoid
 XSS. Note that this vulnerability is only applicable when an attacker
 has gained push access to the repository.
 Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
 Signed-off-by: Lars Hjemli <hjemli@gmail.com>
 ---
 ---
 ui-diff.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
 --- a/ui-diff.c
 +++ b/ui-diff.c
@@ -97,10 +97,12 @@
 	htmlf("</td><td class='%s'>", class);
 	cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1,
 		       ctx.qry.sha2, info->new_path, 0);
 -	if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED)
 -		htmlf(" (%s from %s)",
 -		      info->status == DIFF_STATUS_COPIED ? "copied" : "renamed",
 -		      info->old_path);
 +	if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) {
 +		htmlf(" (%s from ",
 +		      info->status == DIFF_STATUS_COPIED ? "copied" : "renamed");
 +		html_txt(info->old_path);
 +		html(")");
 +	}
 	html("</td><td class='right'>");
 	if (info->binary) {
 		htmlf("bin</td><td class='graph'>%ld -> %ld bytes",
--- a/cgit-CVE-2012-4465-fix.diff
+++ b/cgit-CVE-2012-4465-fix.diff
@ -1,171 +0,0 @@
 From 7757d1b046ecb67b830151d20715c658867df1ec Mon Sep 17 00:00:00 2001
 From: Jim Meyering <meyering@redhat.com>
 Date: Mon, 23 Apr 2012 20:06:35 +0000
 Subject: do not write outside heap buffer
 * parsing.c (substr): Handle tail < head.
 This started when I noticed some cgit segfaults on savannah.gnu.org.
 Finding the offending URL/commit and then constructing a stand-alone
 reproducer were far more time-consuming than writing the actual patch.
 The problem arises with a commit like this, in which the user name
 part of the "Author" field is empty:
    $ git log -1
    commit 6f3f41d73393278f3ede68a2cb1e7a2a23fa3421
    Author: <T at h.or>
    Date:   Mon Apr 23 22:29:16 2012 +0200
 Here's what happens:
 (this is due to buf=malloc(0); strncpy (buf, head, -1);
 where "head" may point to plenty of attacker-specified non-NUL bytes,
 so we can overwrite a zero-length heap buffer with arbitrary data)
 Invalid write of size 1
    at 0x4A09361: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c718d0 is 0 bytes after a block of size 0 alloc'd
    at 0x4A0884D: malloc (vg_replace_malloc.c:263)
    by 0x455C85: xmalloc (wrapper.c:35)
    by 0x40894C: substr (parsing.c:60)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
 Invalid write of size 1
    at 0x4A09400: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c7192b is not stack'd, malloc'd or (recently) free'd
 Invalid write of size 1
    at 0x4A0940E: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
  Address 0x4c7192d is not stack'd, malloc'd or (recently) free'd
 Process terminating with default action of signal 11 (SIGSEGV)
  Access not within mapped region at address 0x502F000
    at 0x4A09400: strncpy (mc_replace_strmem.c:463)
    by 0x408977: substr (parsing.c:61)
    by 0x4089EF: parse_user (parsing.c:73)
    by 0x408D10: cgit_parse_commit (parsing.c:153)
    by 0x40A540: cgit_mk_refinfo (shared.c:171)
    by 0x40A581: cgit_refs_cb (shared.c:181)
    by 0x43DEB3: do_for_each_ref (refs.c:690)
    by 0x41075E: cgit_print_branches (ui-refs.c:191)
    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
    by 0x40780A: summary_fn (cmd.c:120)
    by 0x40667A: process_request (cgit.c:544)
    by 0x404078: cache_process (cache.c:322)
 This happens when tail - head == -1 here:
 (parsing.c)
  char *substr(const char *head, const char *tail)
  {
          char *buf;
          buf = xmalloc(tail - head + 1);
          strncpy(buf, head, tail - head);
          buf[tail - head] = '\0';
          return buf;
  }
  char *parse_user(char *t, char **name, char **email, unsigned long *date)
  {
          char *p = t;
          int mode = 1;
          while (p && *p) {
                  if (mode == 1 && *p == '<') {
                          *name = substr(t, p - 1);
                          t = p;
                          mode++;
                  } else if (mode == 1 && *p == '\n') {
 The fix is to handle the case of (tail < head) before calling xmalloc,
 thus avoiding passing an invalid value to xmalloc.
 And here's the reproducer:
 It was tricky to reproduce, because git prohibits use of an empty "name"
 in a commit ID.  To construct the offending commit, I had to resort to
 using "git hash-object".
 git init -q foo &&
 ( cd foo &&
  echo a > j && git add . && git ci -q --author='au <T at h.or>' -m. . &&
  h=$(git cat-file commit HEAD|sed 's/au //' \
    |git hash-object -t commit -w --stdin) &&
  git co -q -b test $h &&
  git br -q -D master &&
  git br -q -m test master)
 git clone -q --bare foo foo.git
 cat <<EOF > in
 repo.url=foo.git
 repo.path=foo.git
 EOF
 CGIT_CONFIG=in QUERY_STRING=url=foo.git valgrind ./cgit
 The valgrind output is what you see above.
 AFAICS, this is not exploitable thanks (ironically) to the use of strncpy.
 Since that -1 translates to SIZE_MAX and this is strncpy, not only does it
 copy whatever is in "head" (up to first NUL), but it also writes
 SIZE_MAX - strlen(head) NUL bytes into the destination buffer, and that
 latter is guaranteed to evoke a segfault.  Since cgit is single-threaded,
 AFAICS, there is no way that the buffer clobbering can be turned into
 an exploit.
 ---
 diff --git a/parsing.c b/parsing.c
 index 602e3de..1b2a551 100644
 --- a/parsing.c
 +++ b/parsing.c
@@ -56,6 +56,8 @@ char *substr(const char *head, const char *tail)
 {
 	char *buf;
 +	if (tail < head)
 +		return xstrdup("");
 	buf = xmalloc(tail - head + 1);
 	strncpy(buf, head, tail - head);
 	buf[tail - head] = '\0';
 --
 cgit v0.9.0.3-79-g88f8
--- a/cgit-CVE-2012-4548-fix.diff
+++ b/cgit-CVE-2012-4548-fix.diff
@ -1,24 +0,0 @@
 From 7ea35f9f8ecf61ab42be9947aae1176ab6e089bd Mon Sep 17 00:00:00 2001
 From: Jason A. Donenfeld <Jason@zx2c4.com>
 Date: Sun, 28 Oct 2012 02:03:41 +0000
 Subject: syntax-highlighting.sh: Fix command injection.
 By not quoting the argument, an attacker with the ability to add files
 to the repository could pass arbitrary arguments to the highlight
 command, in particular, the --plug-in argument which can lead to
 arbitrary command execution.
 This patch adds simple argument quoting.
 ---
 ---
 filters/syntax-highlighting.sh |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 --- a/filters/syntax-highlighting.sh
 +++ b/filters/syntax-highlighting.sh
@@ -31,4 +31,4 @@ EXTENSION="${BASENAME##*.}"
 # map Makefile and Makefile.* to .mk
 [ "${BASENAME%%.*}" == "Makefile" ] && EXTENSION=mk
 -exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null
 +exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
--- a/cgit.changes
+++ b/cgit.changes
@ -1,3 +1,42 @@
 -------------------------------------------------------------------
 Tue Nov 20 13:51:05 UTC 2012 - vjt@openssl.it
 - BuildRequire xz 
 -------------------------------------------------------------------
 Tue Nov 20 12:04:15 CET 2012 - tiwai@suse.de
 - updated to cgit-0.9.1:
  Enhancements:
  - path-selected submodule links
  - intelligent default branch guessing
  - /etc/mime.types lookup
  - gitweb.* and cgit.* git-config support
  - case insensitive sorting and age sorting
  - commit, repository, and section sorting
  - bold currently viewed page in pagination
  - support BSDs in makefile
  Security:
  - CVE-2012-4465: heap-buffer overflow in parsing.c
  - CVE-2012-4548: syntax highlighting command injection
  Bug Fixes:
  - transition maintainer to Jason Donenfeld (zx2c4)
  - download git snapshot from github instead of Lars' old server
  - css fixes
  - stablization of tests
  - more compatible default highlight script
  - suppress gzip timestamp so that tarballs only use tar timestamps
  - treat ctags as target in makefile
  - do not let global variables override certain local repo settings
  - print ampersand as proper html entity
  - use placeholder for empty commit subject
  - format diff view for addition and removal of files
  - point links at correct blob from ssdiff
 - drop obsoleted patches
  cgit-CVE-2011-2711-fix.diff
  cgit-CVE-2012-4465-fix.diff
  cgit-CVE-2012-4548-fix.diff
 -------------------------------------------------------------------
 Mon Oct 29 11:45:50 CET 2012 - tiwai@suse.de
--- a/cgit.spec
+++ b/cgit.spec
@ -20,27 +20,24 @@
 %define git_version	1.7.6.4
 Name:           cgit
-Url:            http://hjemli.net/git/cgit/
+Url:            http://git.zx2c4.com/cgit/
 License:        GPL-2.0
 Group:          Development/Libraries/C and C++
 AutoReqProv:    on
-Version:        0.9.0.2
+Version:        0.9.1
 Release:        7
 Summary:        A web frontend for git repositories
-Source0:        %{name}-%{version}.tar.bz2
+Source0:        %{name}-%{version}.tar.xz
 Source1:        git-%{git_version}.tar.gz
 Source2:        cgitrc
 Patch:          cgit-optflags.diff
 Patch1:         cgit-git-1.7.6_build_fix.patch
 Patch2:         cgit-CVE-2011-2711-fix.diff
 Patch3:         cgit-fix-print-tree.diff
 Patch4:         cgit-fix-more-read_tree_recursive-invocations.diff
 Patch5:         cgit-CVE-2012-4465-fix.diff
 Patch6:         cgit-CVE-2012-4548-fix.diff
 # Requirements for cgit
 BuildRequires:  gnu-crypto libopenssl-devel libzip-devel
 # Requirements for cgitrc man page generation
-BuildRequires:  asciidoc libxslt
+BuildRequires:  asciidoc libxslt xz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %description
@ -56,11 +53,8 @@ Authors:
 %setup -q -T -D -a 1
 %patch -p1
 %patch1 -p1
 %patch2 -p1
 %patch3
 %patch4
 %patch5 -p1
 %patch6 -p1
 rm -rf git
 mv git-%{git_version} git