main/cgit: fix CVE-2018-14912

2 files changed, 70 insertions, 2 deletions

diff --git a/main/cgit/APKBUILD b/main/cgit/APKBUILD
index ccc617e36d..c0bb1d2af2 100644
--- a/main/cgit/APKBUILD
+++ b/main/cgit/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=cgit
 pkgver=1.1
-pkgrel=1
+pkgrel=2
 _gitver=2.10.2
 pkgdesc="A fast webinterface for git"
 url="http://git.zx2c4.com/cgit/"
@@ -12,8 +12,13 @@ makedepends="libressl-dev zlib-dev lua5.3-dev asciidoc"
 subpackages="$pkgname-doc"
 source="http://git.zx2c4.com/$pkgname/snapshot/$pkgname-$pkgver.tar.xz
         https://www.kernel.org/pub/software/scm/git/git-$_gitver.tar.gz
+        CVE-2018-14912.patch
         "
 
+# secfixes:
+#   1.1-r2:
+#   - CVE-2018-14912
+
 _makeopts="NO_ICONV=YesPlease
         NO_GETTEXT=YesPlease
         NO_TCLTK=YesPlease
@@ -53,4 +58,5 @@ package() {
 }
 
 sha512sums="8f2ec418716d7a6f0880a713b622f2ee41217dc2d5462903841d59d978a021a8bc2be667ca65c25baee2b9dcd4a76bddd0c813bda0486109cc694e7610827051  cgit-1.1.tar.xz
-d8ee88732eed027f5cb822f003a17e4cf249c23927a6c6ff55cff49aa3b6951396375576d25f635bebe34ddbdfae5885cd69cee2c48d3848bed0ed9bebb60fb0  git-2.10.2.tar.gz"
+d8ee88732eed027f5cb822f003a17e4cf249c23927a6c6ff55cff49aa3b6951396375576d25f635bebe34ddbdfae5885cd69cee2c48d3848bed0ed9bebb60fb0  git-2.10.2.tar.gz
+77e8cc28039ada82ca2ff068e8d736b649436af016371af96ab49262e5f6d5572715ce1417f469a1758659907000422c3e1ec107cbd98f15496b1f0dfd9efef6  CVE-2018-14912.patch"
diff --git a/main/cgit/CVE-2018-14912.patch b/main/cgit/CVE-2018-14912.patch
new file mode 100644
index 0000000000..a5a0c450f8
--- /dev/null
+++ b/main/cgit/CVE-2018-14912.patch
@@ -0,0 +1,62 @@
+From 53efaf30b50f095cad8c160488c74bba3e3b2680 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 3 Aug 2018 15:46:11 +0200
+Subject: clone: fix directory traversal
+
+This was introduced in the initial version of this code, way back when
+in 2008.
+
+$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd
+root:x:0:0:root:/root:/bin/sh
+...
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Reported-by: Jann Horn <jannh@google.com>
+---
+ ui-clone.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/ui-clone.c b/ui-clone.c
+index 2c1ac3d..6ba8f36 100644
+--- a/ui-clone.c
++++ b/ui-clone.c
+@@ -92,17 +92,32 @@ void cgit_clone_info(void)
+ 
+ void cgit_clone_objects(void)
+ {
+-       if (!ctx.qry.path) {
+-               cgit_print_error_page(400, "Bad request", "Bad request");
+-               return;
+-       }
++       char *p;
++
++       if (!ctx.qry.path)
++               goto err;
+ 
+        if (!strcmp(ctx.qry.path, "info/packs")) {
+                print_pack_info();
+                return;
+        }
+ 
++       /* Avoid directory traversal by forbidding "..", but also work around
++        * other funny business by just specifying a fairly strict format. For
++        * example, now we don't have to stress out about the Cygwin port.
++        */
++       for (p = ctx.qry.path; *p; ++p) {
++               if (*p == '.' && *(p + 1) == '.')
++                       goto err;
++               if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-')
++                       goto err;
++       }
++
+        send_file(git_path("objects/%s", ctx.qry.path));
++       return;
++
++err:
++       cgit_print_error_page(400, "Bad request", "Bad request");
+ }
+ 
+ void cgit_clone_head(void)
+-- 
+cgit v1.2.1-3-gea92
+