diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-04 16:57:50 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-04 17:05:20 +0200 |
commit | 9d484bb11de6c8d11f5d541dcc9b1b915052b4d9 (patch) | |
tree | cebb178523175c26ee0d6ffae76e8633cabc48ce | |
parent | a7f6a9958c48146e719ecc1f6e2c38812af75c4b (diff) | |
download | alpine_aports-9d484bb11de6c8d11f5d541dcc9b1b915052b4d9.tar.bz2 alpine_aports-9d484bb11de6c8d11f5d541dcc9b1b915052b4d9.tar.xz alpine_aports-9d484bb11de6c8d11f5d541dcc9b1b915052b4d9.zip |
main/cgit: fix CVE-2018-14912
-rw-r--r-- | main/cgit/APKBUILD | 10 | ||||
-rw-r--r-- | main/cgit/CVE-2018-14912.patch | 62 |
2 files changed, 70 insertions, 2 deletions
diff --git a/main/cgit/APKBUILD b/main/cgit/APKBUILD index ccc617e36d..c0bb1d2af2 100644 --- a/main/cgit/APKBUILD +++ b/main/cgit/APKBUILD | |||
@@ -2,7 +2,7 @@ | |||
2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
3 | pkgname=cgit | 3 | pkgname=cgit |
4 | pkgver=1.1 | 4 | pkgver=1.1 |
5 | pkgrel=1 | 5 | pkgrel=2 |
6 | _gitver=2.10.2 | 6 | _gitver=2.10.2 |
7 | pkgdesc="A fast webinterface for git" | 7 | pkgdesc="A fast webinterface for git" |
8 | url="http://git.zx2c4.com/cgit/" | 8 | url="http://git.zx2c4.com/cgit/" |
@@ -12,8 +12,13 @@ makedepends="libressl-dev zlib-dev lua5.3-dev asciidoc" | |||
12 | subpackages="$pkgname-doc" | 12 | subpackages="$pkgname-doc" |
13 | source="http://git.zx2c4.com/$pkgname/snapshot/$pkgname-$pkgver.tar.xz | 13 | source="http://git.zx2c4.com/$pkgname/snapshot/$pkgname-$pkgver.tar.xz |
14 | https://www.kernel.org/pub/software/scm/git/git-$_gitver.tar.gz | 14 | https://www.kernel.org/pub/software/scm/git/git-$_gitver.tar.gz |
15 | CVE-2018-14912.patch | ||
15 | " | 16 | " |
16 | 17 | ||
18 | # secfixes: | ||
19 | # 1.1-r2: | ||
20 | # - CVE-2018-14912 | ||
21 | |||
17 | _makeopts="NO_ICONV=YesPlease | 22 | _makeopts="NO_ICONV=YesPlease |
18 | NO_GETTEXT=YesPlease | 23 | NO_GETTEXT=YesPlease |
19 | NO_TCLTK=YesPlease | 24 | NO_TCLTK=YesPlease |
@@ -53,4 +58,5 @@ package() { | |||
53 | } | 58 | } |
54 | 59 | ||
55 | sha512sums="8f2ec418716d7a6f0880a713b622f2ee41217dc2d5462903841d59d978a021a8bc2be667ca65c25baee2b9dcd4a76bddd0c813bda0486109cc694e7610827051 cgit-1.1.tar.xz | 60 | sha512sums="8f2ec418716d7a6f0880a713b622f2ee41217dc2d5462903841d59d978a021a8bc2be667ca65c25baee2b9dcd4a76bddd0c813bda0486109cc694e7610827051 cgit-1.1.tar.xz |
56 | d8ee88732eed027f5cb822f003a17e4cf249c23927a6c6ff55cff49aa3b6951396375576d25f635bebe34ddbdfae5885cd69cee2c48d3848bed0ed9bebb60fb0 git-2.10.2.tar.gz" | 61 | d8ee88732eed027f5cb822f003a17e4cf249c23927a6c6ff55cff49aa3b6951396375576d25f635bebe34ddbdfae5885cd69cee2c48d3848bed0ed9bebb60fb0 git-2.10.2.tar.gz |
62 | 77e8cc28039ada82ca2ff068e8d736b649436af016371af96ab49262e5f6d5572715ce1417f469a1758659907000422c3e1ec107cbd98f15496b1f0dfd9efef6 CVE-2018-14912.patch" | ||
diff --git a/main/cgit/CVE-2018-14912.patch b/main/cgit/CVE-2018-14912.patch new file mode 100644 index 0000000000..a5a0c450f8 --- /dev/null +++ b/main/cgit/CVE-2018-14912.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 53efaf30b50f095cad8c160488c74bba3e3b2680 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Jason A. Donenfeld" <Jason@zx2c4.com> | ||
3 | Date: Fri, 3 Aug 2018 15:46:11 +0200 | ||
4 | Subject: clone: fix directory traversal | ||
5 | |||
6 | This was introduced in the initial version of this code, way back when | ||
7 | in 2008. | ||
8 | |||
9 | $ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd | ||
10 | root:x:0:0:root:/root:/bin/sh | ||
11 | ... | ||
12 | |||
13 | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> | ||
14 | Reported-by: Jann Horn <jannh@google.com> | ||
15 | --- | ||
16 | ui-clone.c | 23 +++++++++++++++++++---- | ||
17 | 1 file changed, 19 insertions(+), 4 deletions(-) | ||
18 | |||
19 | diff --git a/ui-clone.c b/ui-clone.c | ||
20 | index 2c1ac3d..6ba8f36 100644 | ||
21 | --- a/ui-clone.c | ||
22 | +++ b/ui-clone.c | ||
23 | @@ -92,17 +92,32 @@ void cgit_clone_info(void) | ||
24 | |||
25 | void cgit_clone_objects(void) | ||
26 | { | ||
27 | - if (!ctx.qry.path) { | ||
28 | - cgit_print_error_page(400, "Bad request", "Bad request"); | ||
29 | - return; | ||
30 | - } | ||
31 | + char *p; | ||
32 | + | ||
33 | + if (!ctx.qry.path) | ||
34 | + goto err; | ||
35 | |||
36 | if (!strcmp(ctx.qry.path, "info/packs")) { | ||
37 | print_pack_info(); | ||
38 | return; | ||
39 | } | ||
40 | |||
41 | + /* Avoid directory traversal by forbidding "..", but also work around | ||
42 | + * other funny business by just specifying a fairly strict format. For | ||
43 | + * example, now we don't have to stress out about the Cygwin port. | ||
44 | + */ | ||
45 | + for (p = ctx.qry.path; *p; ++p) { | ||
46 | + if (*p == '.' && *(p + 1) == '.') | ||
47 | + goto err; | ||
48 | + if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-') | ||
49 | + goto err; | ||
50 | + } | ||
51 | + | ||
52 | send_file(git_path("objects/%s", ctx.qry.path)); | ||
53 | + return; | ||
54 | + | ||
55 | +err: | ||
56 | + cgit_print_error_page(400, "Bad request", "Bad request"); | ||
57 | } | ||
58 | |||
59 | void cgit_clone_head(void) | ||
60 | -- | ||
61 | cgit v1.2.1-3-gea92 | ||
62 | |||