Commit c8d5b301 authored by Leonardo Arena's avatar Leonardo Arena

main/cgit: security fix CVE-2016-1899, CVE-2016-1900, CVE-2016-1901. Fixes #5096

parent 2be17766
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cgit
pkgver=0.11.2
pkgrel=0
pkgrel=1
_gitver=2.3.2
pkgdesc="A fast webinterface for git"
url="http://git.zx2c4.com/cgit/"
......@@ -10,9 +10,12 @@ license="GPL2"
makedepends="openssl-dev zlib-dev lua5.2-dev asciidoc"
depends=""
subpackages="$pkgname-doc"
source="
http://git.zx2c4.com/cgit/snapshot/cgit-$pkgver.tar.xz
source="http://git.zx2c4.com/cgit/snapshot/cgit-$pkgver.tar.xz
https://www.kernel.org/pub/software/scm/git/git-$_gitver.tar.gz
CVE-2016-1899.patch
ui-blob-set-csp-just-in-case.patch
CVE-2016-1900.patch
CVE-2016-1901.patch
"
_makeopts="NO_ICONV=YesPlease
......@@ -54,8 +57,20 @@ package() {
}
md5sums="dbafc4e19c715c5ee9ed0cd9d0fda9fa cgit-0.11.2.tar.xz
1e9141d60940eeda6b3d04646b2e8d1a git-2.3.2.tar.gz"
1e9141d60940eeda6b3d04646b2e8d1a git-2.3.2.tar.gz
a97aa769ffcea8eadaa9d07af66cac62 CVE-2016-1899.patch
94781166b8974b178c5e662a97f0819c ui-blob-set-csp-just-in-case.patch
983434f7d09159024166a275ee9310e3 CVE-2016-1900.patch
348e3ac77fbcf537707a9060b918dc31 CVE-2016-1901.patch"
sha256sums="2e126e770693d7296c7eb5eb83b809410aef29870bfe8f54da072a3f4d813e3b cgit-0.11.2.tar.xz
a35aea3a0f63f4cc3dd38fa32127e97273f335a14ea2586b649eb759ecf675a3 git-2.3.2.tar.gz"
a35aea3a0f63f4cc3dd38fa32127e97273f335a14ea2586b649eb759ecf675a3 git-2.3.2.tar.gz
84185ccd38533541169721517db2e895733c6e320318ae96c6ce0d46c172482d CVE-2016-1899.patch
b7a55ce0e6907d2e9ca14f15cef91964e81ad05f22f5dbc18fd5d9940f854dc5 ui-blob-set-csp-just-in-case.patch
449fd7a9cf19c35ca5114d7877b2dca78da0a23f1c31984e4d6f4221d8c5bb59 CVE-2016-1900.patch
490eb320304cdebfcaa9e07517b5a0c7c37428babe8d4b5a0fbd0852340299b0 CVE-2016-1901.patch"
sha512sums="a29bce6e02c61bb2683ce96f867c3050c03dc9e45b5154507e92a30f9e436f61517eeff0c5b9023727e54a9212bf9bf6692a33e791e7883976a5349ae58c0c72 cgit-0.11.2.tar.xz
ac56a8b2351e85c7c02b206ca17bf4c96569ad13bbe92dace2f8ed05f146c3e352248d52d15f3bfd33b705a816dcdd60909f1fd3e38e437130ba18e0c34925df git-2.3.2.tar.gz"
ac56a8b2351e85c7c02b206ca17bf4c96569ad13bbe92dace2f8ed05f146c3e352248d52d15f3bfd33b705a816dcdd60909f1fd3e38e437130ba18e0c34925df git-2.3.2.tar.gz
bd8a166c516fda2598c4060c478bd25b681960a8db2d8d46fa4cafaa4ede9bcbff84fd25596cef1b4230edc1a1a7a41ea07a94d425180bad14955d184017c048 CVE-2016-1899.patch
c2b41967cdef2e42d611c2fe0721a71c1b33e6a1785d45a2ef53c970e8e71ae9eef0b8eae93ca8a3d9933288fef9777c649430c94ecc930c875f98e35d5ce413 ui-blob-set-csp-just-in-case.patch
36626fed9e9c3bdc8fb6c07c3189023fd5edd7f0251198e5cc8225fb8545ace0aa9852352e2509427c179dd3f6b9e705176925ee9aa833039c6b3b6b529b8c2f CVE-2016-1900.patch
5e83ddb52bbc317a577ca6669af70f252f30f538724d76177739a741beba3f0a2bd08642f2ae4d4947035b93300e26ea4582cb2091932a267c9046101318c0b5 CVE-2016-1901.patch"
From 1c581a072651524f3b0d91f33e22a42c4166dd96 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 14 Jan 2016 14:31:13 +0100
Subject: ui-blob: Do not accept mimetype from user
---
cgit.c | 2 --
cgit.h | 1 -
ui-blob.c | 1 -
3 files changed, 4 deletions(-)
diff --git a/cgit.c b/cgit.c
index 05e5d57..3ed1935 100644
--- a/cgit.c
+++ b/cgit.c
@@ -314,8 +314,6 @@ static void querystring_cb(const char *name, const char *value)
ctx.qry.path = trim_end(value, '/');
} else if (!strcmp(name, "name")) {
ctx.qry.name = xstrdup(value);
- } else if (!strcmp(name, "mimetype")) {
- ctx.qry.mimetype = xstrdup(value);
} else if (!strcmp(name, "s")) {
ctx.qry.sort = xstrdup(value);
} else if (!strcmp(name, "showmsg")) {
diff --git a/cgit.h b/cgit.h
index b7eccdd..4b4bcf4 100644
--- a/cgit.h
+++ b/cgit.h
@@ -173,7 +173,6 @@ struct cgit_query {
char *sha2;
char *path;
char *name;
- char *mimetype;
char *url;
char *period;
int ofs;
diff --git a/ui-blob.c b/ui-blob.c
index 1ded839..2cce11c 100644
--- a/ui-blob.c
+++ b/ui-blob.c
@@ -161,7 +161,6 @@ void cgit_print_blob(const char *hex, char *path, const char *head, int file_onl
}
buf[size] = '\0';
- ctx.page.mimetype = ctx.qry.mimetype;
if (!ctx.page.mimetype) {
if (buffer_is_binary(buf, size))
ctx.page.mimetype = "application/octet-stream";
--
cgit v0.12-20-g4fde
From 513b3863d999f91b47d7e9f26710390db55f9463 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 14 Jan 2016 14:28:37 +0100
Subject: ui-shared: prevent malicious filename from injecting headers
---
html.c | 26 ++++++++++++++++++++++++++
html.h | 1 +
ui-shared.c | 8 +++++---
3 files changed, 32 insertions(+), 3 deletions(-)
diff --git a/html.c b/html.c
index 959148c..d89df3a 100644
--- a/html.c
+++ b/html.c
@@ -239,6 +239,32 @@ void html_url_arg(const char *txt)
html(txt);
}
+void html_header_arg_in_quotes(const char *txt)
+{
+ const char *t = txt;
+ while (t && *t) {
+ unsigned char c = *t;
+ const char *e = NULL;
+ if (c == '\\')
+ e = "\\\\";
+ else if (c == '\r')
+ e = "\\r";
+ else if (c == '\n')
+ e = "\\n";
+ else if (c == '"')
+ e = "\\\"";
+ if (e) {
+ html_raw(txt, t - txt);
+ html(e);
+ txt = t + 1;
+ }
+ t++;
+ }
+ if (t != txt)
+ html(txt);
+
+}
+
void html_hidden(const char *name, const char *value)
{
html("<input type='hidden' name='");
diff --git a/html.h b/html.h
index c554763..c72e845 100644
--- a/html.h
+++ b/html.h
@@ -23,6 +23,7 @@ extern void html_ntxt(int len, const char *txt);
extern void html_attr(const char *txt);
extern void html_url_path(const char *txt);
extern void html_url_arg(const char *txt);
+extern void html_header_arg_in_quotes(const char *txt);
extern void html_hidden(const char *name, const char *value);
extern void html_option(const char *value, const char *text, const char *selected_value);
extern void html_intoption(int value, const char *text, int selected_value);
diff --git a/ui-shared.c b/ui-shared.c
index 21f581f..54bbde7 100644
--- a/ui-shared.c
+++ b/ui-shared.c
@@ -692,9 +692,11 @@ void cgit_print_http_headers(void)
htmlf("Content-Type: %s\n", ctx.page.mimetype);
if (ctx.page.size)
htmlf("Content-Length: %zd\n", ctx.page.size);
- if (ctx.page.filename)
- htmlf("Content-Disposition: inline; filename=\"%s\"\n",
- ctx.page.filename);
+ if (ctx.page.filename) {
+ html("Content-Disposition: inline; filename=\"");
+ html_header_arg_in_quotes(ctx.page.filename);
+ html("\"\n");
+ }
if (!ctx.env.authenticated)
html("Cache-Control: no-cache, no-store\n");
htmlf("Last-Modified: %s\n", http_date(ctx.page.modified));
--
cgit v0.12-20-g4fde
From 4458abf64172a62b92810c2293450106e6dfc763 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Tue, 24 Nov 2015 11:28:00 +0100
Subject: filter: avoid integer overflow in authenticate_post
ctx.env.content_length is an unsigned int, coming from the
CONTENT_LENGTH environment variable, which is parsed by strtoul. The
HTTP/1.1 spec says that "any Content-Length greater than or equal to
zero is a valid value." By storing this into an int, we potentially
overflow it, resulting in the following bounding check failing, leading
to a buffer overflow.
Reported-by: Erik Cabetas <Erik@cabetas.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
cgit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cgit.c b/cgit.c
index 5937b9e..05e5d57 100644
--- a/cgit.c
+++ b/cgit.c
@@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function)
static inline void authenticate_post(void)
{
char buffer[MAX_AUTHENTICATION_POST_BYTES];
- int len;
+ unsigned int len;
open_auth_filter("authenticate-post");
len = ctx.env.content_length;
--
cgit v0.12-20-g4fde
From 9ca2566972db968df4479108b29bb92551138b57 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 14 Jan 2016 14:43:43 +0100
Subject: ui-blob: set CSP just in case
---
ui-blob.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ui-blob.c b/ui-blob.c
index 43a2f10..d388489 100644
--- a/ui-blob.c
+++ b/ui-blob.c
@@ -166,6 +166,9 @@ void cgit_print_blob(const char *hex, char *path, const char *head, int file_onl
else
ctx.page.mimetype = "text/plain";
ctx.page.filename = path;
+
+ html("X-Content-Type-Options: nosniff\n");
+ html("Content-Security-Policy: default-src 'none'\n");
cgit_print_http_headers();
html_raw(buf, size);
free(buf);
--
cgit v0.12-20-g4fde
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment