Accepting request 142049 from home:tiwai:branches:devel:tools:scm

- updated to cgit-0.9.1: Enhancements: - path-selected submodule links - intelligent default branch guessing - /etc/mime.types lookup - gitweb.* and cgit.* git-config support - case insensitive sorting and age sorting - commit, repository, and section sorting - bold currently viewed page in pagination - support BSDs in makefile Security: - CVE-2012-4465: heap-buffer overflow in parsing.c - CVE-2012-4548: syntax highlighting command injection Bug Fixes: - transition maintainer to Jason Donenfeld (zx2c4) - download git snapshot from github instead of Lars' old server - css fixes - stablization of tests - more compatible default highlight script - suppress gzip timestamp so that tarballs only use tar timestamps - treat ctags as target in makefile - do not let global variables override certain local repo settings - print ampersand as proper html entity - use placeholder for empty commit subject - format diff view for addition and removal of files - point links at correct blob from ssdiff OBS-URL: https://build.opensuse.org/request/show/142049 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/cgit?expand=0&rev=15
2012-11-20 11:18:29 +00:00 · 2012-11-20 11:18:29 +00:00 · 792cf81fdd
commit 792cf81fdd
parent b819ff884b
7 changed files with 36 additions and 242 deletions
--- a/cgit-0.9.0.2.tar.bz2
+++ b/cgit-0.9.0.2.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:97e0f78f5d4aabe59e3795849c6e1a72900cd558a94d88cb236fee12d72b528c
-size 64203
--- a/cgit-0.9.1.tar.xz
+++ b/cgit-0.9.1.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e2d7de92cfcd5d61a7dacee2f603784843903081675f3c74e4845df9185930a0
+size 66472
--- a/cgit-CVE-2011-2711-fix.diff
+++ b/cgit-CVE-2011-2711-fix.diff
@ -1,35 +0,0 @@
-From bebe89d7c11a92bf206bf6e528c51ffa8ecbc0d5 Mon Sep 17 00:00:00 2001
-From: Lukas Fleischer <cgit@cryptocrack.de>
-Date: Fri, 22 Jul 2011 11:47:19 +0000
-Subject: Fix potential XSS vulnerability in rename hint
-
-The file name displayed in the rename hint should be escaped to avoid
-XSS. Note that this vulnerability is only applicable when an attacker
-has gained push access to the repository.
-
-Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de>
-Signed-off-by: Lars Hjemli <hjemli@gmail.com>
---
---
- ui-diff.c |   10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
--- a/ui-diff.c
-+++ b/ui-diff.c
-@@ -97,10 +97,12 @@
- 	htmlf("</td><td class='%s'>", class);
- 	cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1,
- 		       ctx.qry.sha2, info->new_path, 0);
-	if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED)
-		htmlf(" (%s from %s)",
-		      info->status == DIFF_STATUS_COPIED ? "copied" : "renamed",
-		      info->old_path);
-+	if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) {
-+		htmlf(" (%s from ",
-+		      info->status == DIFF_STATUS_COPIED ? "copied" : "renamed");
-+		html_txt(info->old_path);
-+		html(")");
-+	}
- 	html("</td><td class='right'>");
- 	if (info->binary) {
- 		htmlf("bin</td><td class='graph'>%ld -> %ld bytes",
--- a/cgit-CVE-2012-4465-fix.diff
+++ b/cgit-CVE-2012-4465-fix.diff
@ -1,171 +0,0 @@
-From 7757d1b046ecb67b830151d20715c658867df1ec Mon Sep 17 00:00:00 2001
-From: Jim Meyering <meyering@redhat.com>
-Date: Mon, 23 Apr 2012 20:06:35 +0000
-Subject: do not write outside heap buffer
-
-* parsing.c (substr): Handle tail < head.
-
-This started when I noticed some cgit segfaults on savannah.gnu.org.
-Finding the offending URL/commit and then constructing a stand-alone
-reproducer were far more time-consuming than writing the actual patch.
-
-The problem arises with a commit like this, in which the user name
-part of the "Author" field is empty:
-
-    $ git log -1
-    commit 6f3f41d73393278f3ede68a2cb1e7a2a23fa3421
-    Author: <T at h.or>
-    Date:   Mon Apr 23 22:29:16 2012 +0200
-
-Here's what happens:
-
-(this is due to buf=malloc(0); strncpy (buf, head, -1);
- where "head" may point to plenty of attacker-specified non-NUL bytes,
- so we can overwrite a zero-length heap buffer with arbitrary data)
-
- Invalid write of size 1
-    at 0x4A09361: strncpy (mc_replace_strmem.c:463)
-    by 0x408977: substr (parsing.c:61)
-    by 0x4089EF: parse_user (parsing.c:73)
-    by 0x408D10: cgit_parse_commit (parsing.c:153)
-    by 0x40A540: cgit_mk_refinfo (shared.c:171)
-    by 0x40A581: cgit_refs_cb (shared.c:181)
-    by 0x43DEB3: do_for_each_ref (refs.c:690)
-    by 0x41075E: cgit_print_branches (ui-refs.c:191)
-    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
-    by 0x40780A: summary_fn (cmd.c:120)
-    by 0x40667A: process_request (cgit.c:544)
-    by 0x404078: cache_process (cache.c:322)
-  Address 0x4c718d0 is 0 bytes after a block of size 0 alloc'd
-    at 0x4A0884D: malloc (vg_replace_malloc.c:263)
-    by 0x455C85: xmalloc (wrapper.c:35)
-    by 0x40894C: substr (parsing.c:60)
-    by 0x4089EF: parse_user (parsing.c:73)
-    by 0x408D10: cgit_parse_commit (parsing.c:153)
-    by 0x40A540: cgit_mk_refinfo (shared.c:171)
-    by 0x40A581: cgit_refs_cb (shared.c:181)
-    by 0x43DEB3: do_for_each_ref (refs.c:690)
-    by 0x41075E: cgit_print_branches (ui-refs.c:191)
-    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
-    by 0x40780A: summary_fn (cmd.c:120)
-    by 0x40667A: process_request (cgit.c:544)
-
- Invalid write of size 1
-    at 0x4A09400: strncpy (mc_replace_strmem.c:463)
-    by 0x408977: substr (parsing.c:61)
-    by 0x4089EF: parse_user (parsing.c:73)
-    by 0x408D10: cgit_parse_commit (parsing.c:153)
-    by 0x40A540: cgit_mk_refinfo (shared.c:171)
-    by 0x40A581: cgit_refs_cb (shared.c:181)
-    by 0x43DEB3: do_for_each_ref (refs.c:690)
-    by 0x41075E: cgit_print_branches (ui-refs.c:191)
-    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
-    by 0x40780A: summary_fn (cmd.c:120)
-    by 0x40667A: process_request (cgit.c:544)
-    by 0x404078: cache_process (cache.c:322)
-  Address 0x4c7192b is not stack'd, malloc'd or (recently) free'd
-
- Invalid write of size 1
-    at 0x4A0940E: strncpy (mc_replace_strmem.c:463)
-    by 0x408977: substr (parsing.c:61)
-    by 0x4089EF: parse_user (parsing.c:73)
-    by 0x408D10: cgit_parse_commit (parsing.c:153)
-    by 0x40A540: cgit_mk_refinfo (shared.c:171)
-    by 0x40A581: cgit_refs_cb (shared.c:181)
-    by 0x43DEB3: do_for_each_ref (refs.c:690)
-    by 0x41075E: cgit_print_branches (ui-refs.c:191)
-    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
-    by 0x40780A: summary_fn (cmd.c:120)
-    by 0x40667A: process_request (cgit.c:544)
-    by 0x404078: cache_process (cache.c:322)
-  Address 0x4c7192d is not stack'd, malloc'd or (recently) free'd
-
- Process terminating with default action of signal 11 (SIGSEGV)
-  Access not within mapped region at address 0x502F000
-    at 0x4A09400: strncpy (mc_replace_strmem.c:463)
-    by 0x408977: substr (parsing.c:61)
-    by 0x4089EF: parse_user (parsing.c:73)
-    by 0x408D10: cgit_parse_commit (parsing.c:153)
-    by 0x40A540: cgit_mk_refinfo (shared.c:171)
-    by 0x40A581: cgit_refs_cb (shared.c:181)
-    by 0x43DEB3: do_for_each_ref (refs.c:690)
-    by 0x41075E: cgit_print_branches (ui-refs.c:191)
-    by 0x416EF2: cgit_print_summary (ui-summary.c:56)
-    by 0x40780A: summary_fn (cmd.c:120)
-    by 0x40667A: process_request (cgit.c:544)
-    by 0x404078: cache_process (cache.c:322)
-
-This happens when tail - head == -1 here:
-(parsing.c)
-
-  char *substr(const char *head, const char *tail)
-  {
-          char *buf;
-
-          buf = xmalloc(tail - head + 1);
-          strncpy(buf, head, tail - head);
-          buf[tail - head] = '\0';
-          return buf;
-  }
-
-  char *parse_user(char *t, char **name, char **email, unsigned long *date)
-  {
-          char *p = t;
-          int mode = 1;
-
-          while (p && *p) {
-                  if (mode == 1 && *p == '<') {
-                          *name = substr(t, p - 1);
-                          t = p;
-                          mode++;
-                  } else if (mode == 1 && *p == '\n') {
-
-The fix is to handle the case of (tail < head) before calling xmalloc,
-thus avoiding passing an invalid value to xmalloc.
-
-And here's the reproducer:
-It was tricky to reproduce, because git prohibits use of an empty "name"
-in a commit ID.  To construct the offending commit, I had to resort to
-using "git hash-object".
-
-git init -q foo &&
-( cd foo &&
-  echo a > j && git add . && git ci -q --author='au <T at h.or>' -m. . &&
-  h=$(git cat-file commit HEAD|sed 's/au //' \
-    |git hash-object -t commit -w --stdin) &&
-  git co -q -b test $h &&
-  git br -q -D master &&
-  git br -q -m test master)
-git clone -q --bare foo foo.git
-
-cat <<EOF > in
-repo.url=foo.git
-repo.path=foo.git
-EOF
-CGIT_CONFIG=in QUERY_STRING=url=foo.git valgrind ./cgit
-
-The valgrind output is what you see above.
-
-AFAICS, this is not exploitable thanks (ironically) to the use of strncpy.
-Since that -1 translates to SIZE_MAX and this is strncpy, not only does it
-copy whatever is in "head" (up to first NUL), but it also writes
-SIZE_MAX - strlen(head) NUL bytes into the destination buffer, and that
-latter is guaranteed to evoke a segfault.  Since cgit is single-threaded,
-AFAICS, there is no way that the buffer clobbering can be turned into
-an exploit.
---
-diff --git a/parsing.c b/parsing.c
-index 602e3de..1b2a551 100644
--- a/parsing.c
-+++ b/parsing.c
-@@ -56,6 +56,8 @@ char *substr(const char *head, const char *tail)
- {
- 	char *buf;
- 
-+	if (tail < head)
-+		return xstrdup("");
- 	buf = xmalloc(tail - head + 1);
- 	strncpy(buf, head, tail - head);
- 	buf[tail - head] = '\0';
--
-cgit v0.9.0.3-79-g88f8
--- a/cgit-CVE-2012-4548-fix.diff
+++ b/cgit-CVE-2012-4548-fix.diff
@ -1,24 +0,0 @@
-From 7ea35f9f8ecf61ab42be9947aae1176ab6e089bd Mon Sep 17 00:00:00 2001
-From: Jason A. Donenfeld <Jason@zx2c4.com>
-Date: Sun, 28 Oct 2012 02:03:41 +0000
-Subject: syntax-highlighting.sh: Fix command injection.
-
-By not quoting the argument, an attacker with the ability to add files
-to the repository could pass arbitrary arguments to the highlight
-command, in particular, the --plug-in argument which can lead to
-arbitrary command execution.
-
-This patch adds simple argument quoting.
---
---
- filters/syntax-highlighting.sh |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
--- a/filters/syntax-highlighting.sh
-+++ b/filters/syntax-highlighting.sh
-@@ -31,4 +31,4 @@ EXTENSION="${BASENAME##*.}"
- # map Makefile and Makefile.* to .mk
- [ "${BASENAME%%.*}" == "Makefile" ] && EXTENSION=mk
- 
-exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null
-+exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
--- a/cgit.changes
+++ b/cgit.changes
@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Tue Nov 20 12:04:15 CET 2012 - tiwai@suse.de
+
+- updated to cgit-0.9.1:
+  Enhancements:
+  - path-selected submodule links
+  - intelligent default branch guessing
+  - /etc/mime.types lookup
+  - gitweb.* and cgit.* git-config support
+  - case insensitive sorting and age sorting
+  - commit, repository, and section sorting
+  - bold currently viewed page in pagination
+  - support BSDs in makefile
+  Security:
+  - CVE-2012-4465: heap-buffer overflow in parsing.c
+  - CVE-2012-4548: syntax highlighting command injection
+  Bug Fixes:
+  - transition maintainer to Jason Donenfeld (zx2c4)
+  - download git snapshot from github instead of Lars' old server
+  - css fixes
+  - stablization of tests
+  - more compatible default highlight script
+  - suppress gzip timestamp so that tarballs only use tar timestamps
+  - treat ctags as target in makefile
+  - do not let global variables override certain local repo settings
+  - print ampersand as proper html entity
+  - use placeholder for empty commit subject
+  - format diff view for addition and removal of files
+  - point links at correct blob from ssdiff
+
 -------------------------------------------------------------------
 Mon Oct 29 11:45:50 CET 2012 - tiwai@suse.de

--- a/cgit.spec
+++ b/cgit.spec
@ -20,23 +20,20 @@
 %define git_version	1.7.6.4

 Name:           cgit
-Url:            http://hjemli.net/git/cgit/
+Url:            http://git.zx2c4.com/cgit/
 License:        GPL-2.0
 Group:          Development/Libraries/C and C++
 AutoReqProv:    on
-Version:        0.9.0.2
+Version:        0.9.1
 Release:        7
 Summary:        A web frontend for git repositories
-Source0:        %{name}-%{version}.tar.bz2
+Source0:        %{name}-%{version}.tar.xz
 Source1:        git-%{git_version}.tar.gz
 Source2:        cgitrc
 Patch:          cgit-optflags.diff
 Patch1:         cgit-git-1.7.6_build_fix.patch
-Patch2:         cgit-CVE-2011-2711-fix.diff
 Patch3:         cgit-fix-print-tree.diff
 Patch4:         cgit-fix-more-read_tree_recursive-invocations.diff
-Patch5:         cgit-CVE-2012-4465-fix.diff
-Patch6:         cgit-CVE-2012-4548-fix.diff
 # Requirements for cgit
 BuildRequires:  gnu-crypto libopenssl-devel libzip-devel
 # Requirements for cgitrc man page generation
@ -56,11 +53,8 @@ Authors:
 %setup -q -T -D -a 1
 %patch -p1
 %patch1 -p1
-%patch2 -p1
 %patch3
 %patch4
-%patch5 -p1
-%patch6 -p1
 rm -rf git
 mv git-%{git_version} git