From e085371370355bd7364dc213d65c2aac19b5732cbc054af1ea63368851bc8c79 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Mon, 8 Jul 2013 13:23:26 +0000 Subject: [PATCH] Accepting request 182502 from home:tiwai:branches:devel:tools:scm - Fix VUL-0: cgit: remote file disclosure flaw (CVE-2013-2117, bnc#822166) OBS-URL: https://build.opensuse.org/request/show/182502 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/cgit?expand=0&rev=18 --- ...13-2117-disallow-directory-traversal.patch | 58 +++++++++++++++++++ cgit.changes | 6 ++ cgit.spec | 2 + 3 files changed, 66 insertions(+) create mode 100644 cgit-CVE-2013-2117-disallow-directory-traversal.patch diff --git a/cgit-CVE-2013-2117-disallow-directory-traversal.patch b/cgit-CVE-2013-2117-disallow-directory-traversal.patch new file mode 100644 index 0000000..d26bc6e --- /dev/null +++ b/cgit-CVE-2013-2117-disallow-directory-traversal.patch @@ -0,0 +1,58 @@ +From babf94e04e74123eb658a823213c062663cdadd6 Mon Sep 17 00:00:00 2001 +From: Jason A. Donenfeld +Date: Sat, 25 May 2013 17:47:15 +0000 +Subject: ui-summary: Disallow directory traversal + +Using the url= query string, it was possible request arbitrary files +from the filesystem if the readme for a given page was set to a +filesystem file. The following request would return my /etc/passwd file: + +http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd +http://data.zx2c4.com/cgit-directory-traversal.png + +This fix uses realpath(3) to canonicalize all paths, and then compares +the base components. + +This fix introduces a subtle timing attack, whereby a client can check +whether or not strstr is called using timing measurements in order +to determine if a given file exists on the filesystem. + +This fix also does not account for filesystem race conditions (TOCTOU) +in resolving symlinks. + +Signed-off-by: Jason A. Donenfeld +--- +--- + ui-summary.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/ui-summary.c ++++ b/ui-summary.c +@@ -96,6 +96,7 @@ void cgit_print_repo_readme(char *path) + * to the directory containing the configured readme. + */ + if (path) { ++ char *resolved_base, *resolved_full; + slash = strrchr(ctx.repo->readme, '/'); + if (!slash) { + if (!colon) +@@ -104,7 +105,19 @@ void cgit_print_repo_readme(char *path) + } + tmp = xmalloc(slash - ctx.repo->readme + 1 + strlen(path) + 1); + strncpy(tmp, ctx.repo->readme, slash - ctx.repo->readme + 1); ++ if (!ref) ++ resolved_base = realpath(tmp, NULL); + strcpy(tmp + (slash - ctx.repo->readme + 1), path); ++ if (!ref) { ++ resolved_full = realpath(tmp, NULL); ++ if (!resolved_base || !resolved_full || ++ strstr(resolved_full, resolved_base) != resolved_full) { ++ free(tmp); ++ return; ++ } ++ free(resolved_base); ++ free(resolved_full); ++ } + } else + tmp = ctx.repo->readme; + diff --git a/cgit.changes b/cgit.changes index 8169d60..0381161 100644 --- a/cgit.changes +++ b/cgit.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Jul 5 17:05:04 CEST 2013 - tiwai@suse.de + +- Fix VUL-0: cgit: remote file disclosure flaw (CVE-2013-2117, + bnc#822166) + ------------------------------------------------------------------- Tue Nov 20 13:51:05 UTC 2012 - vjt@openssl.it diff --git a/cgit.spec b/cgit.spec index e870d13..c4494e2 100644 --- a/cgit.spec +++ b/cgit.spec @@ -34,6 +34,7 @@ Patch: cgit-optflags.diff Patch1: cgit-git-1.7.6_build_fix.patch Patch3: cgit-fix-print-tree.diff Patch4: cgit-fix-more-read_tree_recursive-invocations.diff +Patch5: cgit-CVE-2013-2117-disallow-directory-traversal.patch # Requirements for cgit BuildRequires: gnu-crypto libopenssl-devel libzip-devel # Requirements for cgitrc man page generation @@ -55,6 +56,7 @@ Authors: %patch1 -p1 %patch3 %patch4 +%patch5 -p1 rm -rf git mv git-%{git_version} git