aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2018-08-04 16:57:50 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2018-08-04 16:57:50 +0200
commit15b5cd51d6380cc80777d5283f9615ce4f8c28e6 (patch)
treeb3481845c8e6fef823df6606e8751e207deef872
parentb9378282d449377367ed322b235ebc2e526f7bbe (diff)
downloadaports-15b5cd51d6380cc80777d5283f9615ce4f8c28e6.tar.gz
aports-15b5cd51d6380cc80777d5283f9615ce4f8c28e6.tar.bz2
aports-15b5cd51d6380cc80777d5283f9615ce4f8c28e6.tar.xz
main/cgit: fix CVE-2018-14912
-rw-r--r--main/cgit/APKBUILD10
-rw-r--r--main/cgit/CVE-2018-14912.patch62
2 files changed, 70 insertions, 2 deletions
diff --git a/main/cgit/APKBUILD b/main/cgit/APKBUILD
index 8eee9cc82f..138d2e0c6d 100644
--- a/main/cgit/APKBUILD
+++ b/main/cgit/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cgit
pkgver=1.1
-pkgrel=3
+pkgrel=4
_gitver=2.10.2
pkgdesc="A fast webinterface for git"
url="https://git.zx2c4.com/cgit/"
@@ -12,8 +12,13 @@ makedepends="libressl-dev zlib-dev lua5.3-dev asciidoc"
subpackages="$pkgname-doc"
source="http://git.zx2c4.com/$pkgname/snapshot/$pkgname-$pkgver.tar.xz
https://www.kernel.org/pub/software/scm/git/git-$_gitver.tar.gz
+ CVE-2018-14912.patch
"
+# secfixes:
+# 1.1-r2:
+# - CVE-2018-14912.patch
+
_makeopts="NO_ICONV=YesPlease
NO_GETTEXT=YesPlease
NO_TCLTK=YesPlease
@@ -53,4 +58,5 @@ package() {
}
sha512sums="8f2ec418716d7a6f0880a713b622f2ee41217dc2d5462903841d59d978a021a8bc2be667ca65c25baee2b9dcd4a76bddd0c813bda0486109cc694e7610827051 cgit-1.1.tar.xz
-d8ee88732eed027f5cb822f003a17e4cf249c23927a6c6ff55cff49aa3b6951396375576d25f635bebe34ddbdfae5885cd69cee2c48d3848bed0ed9bebb60fb0 git-2.10.2.tar.gz"
+d8ee88732eed027f5cb822f003a17e4cf249c23927a6c6ff55cff49aa3b6951396375576d25f635bebe34ddbdfae5885cd69cee2c48d3848bed0ed9bebb60fb0 git-2.10.2.tar.gz
+77e8cc28039ada82ca2ff068e8d736b649436af016371af96ab49262e5f6d5572715ce1417f469a1758659907000422c3e1ec107cbd98f15496b1f0dfd9efef6 CVE-2018-14912.patch"
diff --git a/main/cgit/CVE-2018-14912.patch b/main/cgit/CVE-2018-14912.patch
new file mode 100644
index 0000000000..a5a0c450f8
--- /dev/null
+++ b/main/cgit/CVE-2018-14912.patch
@@ -0,0 +1,62 @@
+From 53efaf30b50f095cad8c160488c74bba3e3b2680 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 3 Aug 2018 15:46:11 +0200
+Subject: clone: fix directory traversal
+
+This was introduced in the initial version of this code, way back when
+in 2008.
+
+$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd
+root:x:0:0:root:/root:/bin/sh
+...
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Reported-by: Jann Horn <jannh@google.com>
+---
+ ui-clone.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/ui-clone.c b/ui-clone.c
+index 2c1ac3d..6ba8f36 100644
+--- a/ui-clone.c
++++ b/ui-clone.c
+@@ -92,17 +92,32 @@ void cgit_clone_info(void)
+
+ void cgit_clone_objects(void)
+ {
+- if (!ctx.qry.path) {
+- cgit_print_error_page(400, "Bad request", "Bad request");
+- return;
+- }
++ char *p;
++
++ if (!ctx.qry.path)
++ goto err;
+
+ if (!strcmp(ctx.qry.path, "info/packs")) {
+ print_pack_info();
+ return;
+ }
+
++ /* Avoid directory traversal by forbidding "..", but also work around
++ * other funny business by just specifying a fairly strict format. For
++ * example, now we don't have to stress out about the Cygwin port.
++ */
++ for (p = ctx.qry.path; *p; ++p) {
++ if (*p == '.' && *(p + 1) == '.')
++ goto err;
++ if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-')
++ goto err;
++ }
++
+ send_file(git_path("objects/%s", ctx.qry.path));
++ return;
++
++err:
++ cgit_print_error_page(400, "Bad request", "Bad request");
+ }
+
+ void cgit_clone_head(void)
+--
+cgit v1.2.1-3-gea92
+