Accepting request 182502 from home:tiwai:branches:devel:tools:scm

- Fix VUL-0: cgit: remote file disclosure flaw (CVE-2013-2117, bnc#822166) OBS-URL: https://build.opensuse.org/request/show/182502 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/cgit?expand=0&rev=18
2013-07-08 13:23:26 +00:00 · 2013-07-08 13:23:26 +00:00 · e085371370
commit e085371370
parent 8ef605c894
3 changed files with 66 additions and 0 deletions
--- a/cgit-CVE-2013-2117-disallow-directory-traversal.patch
+++ b/cgit-CVE-2013-2117-disallow-directory-traversal.patch
@ -0,0 +1,58 @@
+From babf94e04e74123eb658a823213c062663cdadd6 Mon Sep 17 00:00:00 2001
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+Date: Sat, 25 May 2013 17:47:15 +0000
+Subject: ui-summary: Disallow directory traversal
+
+Using the url= query string, it was possible request arbitrary files
+from the filesystem if the readme for a given page was set to a
+filesystem file. The following request would return my /etc/passwd file:
+
+http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd
+http://data.zx2c4.com/cgit-directory-traversal.png
+
+This fix uses realpath(3) to canonicalize all paths, and then compares
+the base components.
+
+This fix introduces a subtle timing attack, whereby a client can check
+whether or not strstr is called using timing measurements in order
+to determine if a given file exists on the filesystem.
+
+This fix also does not account for filesystem race conditions (TOCTOU)
+in resolving symlinks.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+---
+---
+ ui-summary.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/ui-summary.c
+++ b/ui-summary.c
+@@ -96,6 +96,7 @@ void cgit_print_repo_readme(char *path)
+ 	 * to the directory containing the configured readme.
+ 	 */
+ 	if (path) {
+		char *resolved_base, *resolved_full;
+ 		slash = strrchr(ctx.repo->readme, '/');
+ 		if (!slash) {
+ 			if (!colon)
+@@ -104,7 +105,19 @@ void cgit_print_repo_readme(char *path)
+ 		}
+ 		tmp = xmalloc(slash - ctx.repo->readme + 1 + strlen(path) + 1);
+ 		strncpy(tmp, ctx.repo->readme, slash - ctx.repo->readme + 1);
+		if (!ref)
+			resolved_base = realpath(tmp, NULL);
+ 		strcpy(tmp + (slash - ctx.repo->readme + 1), path);
+		if (!ref) {
+			resolved_full = realpath(tmp, NULL);
+			if (!resolved_base || !resolved_full ||
+			    strstr(resolved_full, resolved_base) != resolved_full) {
+				free(tmp);
+				return;
+			}
+			free(resolved_base);
+			free(resolved_full);
+		}
+ 	} else
+ 		tmp = ctx.repo->readme;
+ 
--- a/cgit.changes
+++ b/cgit.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Jul  5 17:05:04 CEST 2013 - tiwai@suse.de
+
+- Fix VUL-0: cgit: remote file disclosure flaw (CVE-2013-2117,
+  bnc#822166)
+
 -------------------------------------------------------------------
 Tue Nov 20 13:51:05 UTC 2012 - vjt@openssl.it

--- a/cgit.spec
+++ b/cgit.spec
@ -34,6 +34,7 @@ Patch:          cgit-optflags.diff
 Patch1:         cgit-git-1.7.6_build_fix.patch
 Patch3:         cgit-fix-print-tree.diff
 Patch4:         cgit-fix-more-read_tree_recursive-invocations.diff
+Patch5:         cgit-CVE-2013-2117-disallow-directory-traversal.patch
 # Requirements for cgit
 BuildRequires:  gnu-crypto libopenssl-devel libzip-devel
 # Requirements for cgitrc man page generation
@ -55,6 +56,7 @@ Authors:
 %patch1 -p1
 %patch3
 %patch4
+%patch5 -p1
 rm -rf git
 mv git-%{git_version} git