diff --git a/0001-clone-fix-directory-traversal.patch b/0001-clone-fix-directory-traversal.patch new file mode 100644 index 0000000..9f647f2 --- /dev/null +++ b/0001-clone-fix-directory-traversal.patch @@ -0,0 +1,62 @@ +From 53efaf30b50f095cad8c160488c74bba3e3b2680 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Fri, 3 Aug 2018 15:46:11 +0200 +Subject: [PATCH] clone: fix directory traversal + +This was introduced in the initial version of this code, way back when +in 2008. + +$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd +root:x:0:0:root:/root:/bin/sh +... + +Signed-off-by: Jason A. Donenfeld +Reported-by: Jann Horn +--- + ui-clone.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/ui-clone.c b/ui-clone.c +index 2c1ac3d..6ba8f36 100644 +--- a/ui-clone.c ++++ b/ui-clone.c +@@ -92,17 +92,32 @@ void cgit_clone_info(void) + + void cgit_clone_objects(void) + { +- if (!ctx.qry.path) { +- cgit_print_error_page(400, "Bad request", "Bad request"); +- return; +- } ++ char *p; ++ ++ if (!ctx.qry.path) ++ goto err; + + if (!strcmp(ctx.qry.path, "info/packs")) { + print_pack_info(); + return; + } + ++ /* Avoid directory traversal by forbidding "..", but also work around ++ * other funny business by just specifying a fairly strict format. For ++ * example, now we don't have to stress out about the Cygwin port. ++ */ ++ for (p = ctx.qry.path; *p; ++p) { ++ if (*p == '.' && *(p + 1) == '.') ++ goto err; ++ if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-') ++ goto err; ++ } ++ + send_file(git_path("objects/%s", ctx.qry.path)); ++ return; ++ ++err: ++ cgit_print_error_page(400, "Bad request", "Bad request"); + } + + void cgit_clone_head(void) +-- +2.18.0 + diff --git a/cgit.spec b/cgit.spec index 06974fb..d95bc74 100644 --- a/cgit.spec +++ b/cgit.spec @@ -36,7 +36,7 @@ make V=1 %{?_smp_mflags} \\\ Name: cgit Version: 0.12 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A fast web interface for git Group: Development/Tools @@ -47,6 +47,9 @@ Source1: http://www.kernel.org/pub/software/scm/git//git-%{gitver}.tar.xz Source2: cgitrc Source3: README.SELinux +# https://git.zx2c4.com/cgit/commit/?id=53efaf30b +Patch0: 0001-clone-fix-directory-traversal.patch + %if %{syntax_highlight} # On all but RHEL5 highlight is version 3. Patch1: cgit-0.9.1-highlightv3.patch @@ -81,6 +84,7 @@ Cgit is a fast web interface for git. It uses caching to increase performance. %prep %setup -q -a 1 +%patch0 -p1 %if %{syntax_highlight} %patch1 -p1 %endif @@ -158,6 +162,9 @@ rm -rf %{buildroot} %changelog +* Fri Aug 03 2018 Todd Zullinger - 0.12-2 +- Fix directory traversal vulnerability + * Sat Jan 16 2016 Kevin Fenzi - 0.12-1 - Update to 0.12. Fixes bug #1298912 - Fixes CVE-2016-1899 CVE-2016-1900 CVE-2016-1901