Commit 12e79cd8 authored by Natanael Copa's avatar Natanael Copa
Browse files

main/cgit: fix CVE-2018-14912

parent b8d67256
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cgit
pkgver=1.1
pkgrel=2
pkgrel=3
_gitver=2.10.2
pkgdesc="A fast webinterface for git"
url="https://git.zx2c4.com/cgit/"
......@@ -12,8 +12,13 @@ makedepends="libressl-dev zlib-dev lua5.3-dev asciidoc"
subpackages="$pkgname-doc"
source="http://git.zx2c4.com/$pkgname/snapshot/$pkgname-$pkgver.tar.xz
https://www.kernel.org/pub/software/scm/git/git-$_gitver.tar.gz
CVE-2018-14912.patch
"
# secfixes:
# 1.1-r2:
# - CVE-2018-14912
_makeopts="NO_ICONV=YesPlease
NO_GETTEXT=YesPlease
NO_TCLTK=YesPlease
......@@ -53,4 +58,5 @@ package() {
}
sha512sums="8f2ec418716d7a6f0880a713b622f2ee41217dc2d5462903841d59d978a021a8bc2be667ca65c25baee2b9dcd4a76bddd0c813bda0486109cc694e7610827051 cgit-1.1.tar.xz
d8ee88732eed027f5cb822f003a17e4cf249c23927a6c6ff55cff49aa3b6951396375576d25f635bebe34ddbdfae5885cd69cee2c48d3848bed0ed9bebb60fb0 git-2.10.2.tar.gz"
d8ee88732eed027f5cb822f003a17e4cf249c23927a6c6ff55cff49aa3b6951396375576d25f635bebe34ddbdfae5885cd69cee2c48d3848bed0ed9bebb60fb0 git-2.10.2.tar.gz
77e8cc28039ada82ca2ff068e8d736b649436af016371af96ab49262e5f6d5572715ce1417f469a1758659907000422c3e1ec107cbd98f15496b1f0dfd9efef6 CVE-2018-14912.patch"
From 53efaf30b50f095cad8c160488c74bba3e3b2680 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Fri, 3 Aug 2018 15:46:11 +0200
Subject: clone: fix directory traversal
This was introduced in the initial version of this code, way back when
in 2008.
$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/sh
...
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Jann Horn <jannh@google.com>
---
ui-clone.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/ui-clone.c b/ui-clone.c
index 2c1ac3d..6ba8f36 100644
--- a/ui-clone.c
+++ b/ui-clone.c
@@ -92,17 +92,32 @@ void cgit_clone_info(void)
void cgit_clone_objects(void)
{
- if (!ctx.qry.path) {
- cgit_print_error_page(400, "Bad request", "Bad request");
- return;
- }
+ char *p;
+
+ if (!ctx.qry.path)
+ goto err;
if (!strcmp(ctx.qry.path, "info/packs")) {
print_pack_info();
return;
}
+ /* Avoid directory traversal by forbidding "..", but also work around
+ * other funny business by just specifying a fairly strict format. For
+ * example, now we don't have to stress out about the Cygwin port.
+ */
+ for (p = ctx.qry.path; *p; ++p) {
+ if (*p == '.' && *(p + 1) == '.')
+ goto err;
+ if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-')
+ goto err;
+ }
+
send_file(git_path("objects/%s", ctx.qry.path));
+ return;
+
+err:
+ cgit_print_error_page(400, "Bad request", "Bad request");
}
void cgit_clone_head(void)
--
cgit v1.2.1-3-gea92
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment