Hello community,
here is the log from the commit of package cgit for openSUSE:Factory checked in
at 2013-07-08 22:24:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cgit (Old)
and /work/SRC/openSUSE:Factory/.cgit.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cgit"
Changes:
--------
--- /work/SRC/openSUSE:Factory/cgit/cgit.changes 2012-11-21
15:06:27.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.cgit.new/cgit.changes 2013-07-08
22:24:19.000000000 +0200
@@ -1,0 +2,6 @@
+Fri Jul 5 17:05:04 CEST 2013 - ti...@suse.de
+
+- Fix VUL-0: cgit: remote file disclosure flaw (CVE-2013-2117,
+ bnc#822166)
+
+-------------------------------------------------------------------
New:
----
cgit-CVE-2013-2117-disallow-directory-traversal.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cgit.spec ++++++
--- /var/tmp/diff_new_pack.e6Tmpk/_old 2013-07-08 22:24:19.000000000 +0200
+++ /var/tmp/diff_new_pack.e6Tmpk/_new 2013-07-08 22:24:19.000000000 +0200
@@ -34,6 +34,7 @@
Patch1: cgit-git-1.7.6_build_fix.patch
Patch3: cgit-fix-print-tree.diff
Patch4: cgit-fix-more-read_tree_recursive-invocations.diff
+Patch5: cgit-CVE-2013-2117-disallow-directory-traversal.patch
# Requirements for cgit
BuildRequires: gnu-crypto libopenssl-devel libzip-devel
# Requirements for cgitrc man page generation
@@ -55,6 +56,7 @@
%patch1 -p1
%patch3
%patch4
+%patch5 -p1
rm -rf git
mv git-%{git_version} git
++++++ cgit-CVE-2013-2117-disallow-directory-traversal.patch ++++++
>From babf94e04e74123eb658a823213c062663cdadd6 Mon Sep 17 00:00:00 2001
From: Jason A. Donenfeld <ja...@zx2c4.com>
Date: Sat, 25 May 2013 17:47:15 +0000
Subject: ui-summary: Disallow directory traversal
Using the url= query string, it was possible request arbitrary files
from the filesystem if the readme for a given page was set to a
filesystem file. The following request would return my /etc/passwd file:
http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd
http://data.zx2c4.com/cgit-directory-traversal.png
This fix uses realpath(3) to canonicalize all paths, and then compares
the base components.
This fix introduces a subtle timing attack, whereby a client can check
whether or not strstr is called using timing measurements in order
to determine if a given file exists on the filesystem.
This fix also does not account for filesystem race conditions (TOCTOU)
in resolving symlinks.
Signed-off-by: Jason A. Donenfeld <ja...@zx2c4.com>
---
---
ui-summary.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/ui-summary.c
+++ b/ui-summary.c
@@ -96,6 +96,7 @@ void cgit_print_repo_readme(char *path)
* to the directory containing the configured readme.
*/
if (path) {
+ char *resolved_base, *resolved_full;
slash = strrchr(ctx.repo->readme, '/');
if (!slash) {
if (!colon)
@@ -104,7 +105,19 @@ void cgit_print_repo_readme(char *path)
}
tmp = xmalloc(slash - ctx.repo->readme + 1 + strlen(path) + 1);
strncpy(tmp, ctx.repo->readme, slash - ctx.repo->readme + 1);
+ if (!ref)
+ resolved_base = realpath(tmp, NULL);
strcpy(tmp + (slash - ctx.repo->readme + 1), path);
+ if (!ref) {
+ resolved_full = realpath(tmp, NULL);
+ if (!resolved_base || !resolved_full ||
+ strstr(resolved_full, resolved_base) !=
resolved_full) {
+ free(tmp);
+ return;
+ }
+ free(resolved_base);
+ free(resolved_full);
+ }
} else
tmp = ctx.repo->readme;
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
