Hello community, here is the log from the commit of package cgit for openSUSE:Factory checked in at 2013-07-08 22:24:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cgit (Old) and /work/SRC/openSUSE:Factory/.cgit.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cgit" Changes: -------- --- /work/SRC/openSUSE:Factory/cgit/cgit.changes 2012-11-21 15:06:27.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.cgit.new/cgit.changes 2013-07-08 22:24:19.000000000 +0200 @@ -1,0 +2,6 @@ +Fri Jul 5 17:05:04 CEST 2013 - ti...@suse.de + +- Fix VUL-0: cgit: remote file disclosure flaw (CVE-2013-2117, + bnc#822166) + +------------------------------------------------------------------- New: ---- cgit-CVE-2013-2117-disallow-directory-traversal.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cgit.spec ++++++ --- /var/tmp/diff_new_pack.e6Tmpk/_old 2013-07-08 22:24:19.000000000 +0200 +++ /var/tmp/diff_new_pack.e6Tmpk/_new 2013-07-08 22:24:19.000000000 +0200 @@ -34,6 +34,7 @@ Patch1: cgit-git-1.7.6_build_fix.patch Patch3: cgit-fix-print-tree.diff Patch4: cgit-fix-more-read_tree_recursive-invocations.diff +Patch5: cgit-CVE-2013-2117-disallow-directory-traversal.patch # Requirements for cgit BuildRequires: gnu-crypto libopenssl-devel libzip-devel # Requirements for cgitrc man page generation @@ -55,6 +56,7 @@ %patch1 -p1 %patch3 %patch4 +%patch5 -p1 rm -rf git mv git-%{git_version} git ++++++ cgit-CVE-2013-2117-disallow-directory-traversal.patch ++++++ >From babf94e04e74123eb658a823213c062663cdadd6 Mon Sep 17 00:00:00 2001 From: Jason A. Donenfeld <ja...@zx2c4.com> Date: Sat, 25 May 2013 17:47:15 +0000 Subject: ui-summary: Disallow directory traversal Using the url= query string, it was possible request arbitrary files from the filesystem if the readme for a given page was set to a filesystem file. The following request would return my /etc/passwd file: http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd http://data.zx2c4.com/cgit-directory-traversal.png This fix uses realpath(3) to canonicalize all paths, and then compares the base components. This fix introduces a subtle timing attack, whereby a client can check whether or not strstr is called using timing measurements in order to determine if a given file exists on the filesystem. This fix also does not account for filesystem race conditions (TOCTOU) in resolving symlinks. Signed-off-by: Jason A. Donenfeld <ja...@zx2c4.com> --- --- ui-summary.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/ui-summary.c +++ b/ui-summary.c @@ -96,6 +96,7 @@ void cgit_print_repo_readme(char *path) * to the directory containing the configured readme. */ if (path) { + char *resolved_base, *resolved_full; slash = strrchr(ctx.repo->readme, '/'); if (!slash) { if (!colon) @@ -104,7 +105,19 @@ void cgit_print_repo_readme(char *path) } tmp = xmalloc(slash - ctx.repo->readme + 1 + strlen(path) + 1); strncpy(tmp, ctx.repo->readme, slash - ctx.repo->readme + 1); + if (!ref) + resolved_base = realpath(tmp, NULL); strcpy(tmp + (slash - ctx.repo->readme + 1), path); + if (!ref) { + resolved_full = realpath(tmp, NULL); + if (!resolved_base || !resolved_full || + strstr(resolved_full, resolved_base) != resolved_full) { + free(tmp); + return; + } + free(resolved_base); + free(resolved_full); + } } else tmp = ctx.repo->readme; -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org