Hello community, here is the log from the commit of package cgit.1853 for openSUSE:12.3:Update checked in at 2013-07-17 10:58:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/cgit.1853 (Old) and /work/SRC/openSUSE:12.3:Update/.cgit.1853.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cgit.1853" Changes: -------- New Changes file: --- /dev/null 2013-07-15 01:04:09.588030756 +0200 +++ /work/SRC/openSUSE:12.3:Update/.cgit.1853.new/cgit.changes 2013-07-17 10:58:05.000000000 +0200 @@ -0,0 +1,211 @@ +------------------------------------------------------------------- +Fri Jul 5 17:05:04 CEST 2013 - [email protected] + +- cgit-CVE-2013-2117-disallow-directory-traversal.patch: + Fix cgit: remote file disclosure flaw (CVE-2013-2117, + bnc#822166) + +------------------------------------------------------------------- +Tue Nov 20 13:51:05 UTC 2012 - [email protected] + +- BuildRequire xz + +------------------------------------------------------------------- +Tue Nov 20 12:04:15 CET 2012 - [email protected] + +- updated to cgit-0.9.1: + Enhancements: + - path-selected submodule links + - intelligent default branch guessing + - /etc/mime.types lookup + - gitweb.* and cgit.* git-config support + - case insensitive sorting and age sorting + - commit, repository, and section sorting + - bold currently viewed page in pagination + - support BSDs in makefile + Security: + - CVE-2012-4465: heap-buffer overflow in parsing.c + - CVE-2012-4548: syntax highlighting command injection + Bug Fixes: + - transition maintainer to Jason Donenfeld (zx2c4) + - download git snapshot from github instead of Lars' old server + - css fixes + - stablization of tests + - more compatible default highlight script + - suppress gzip timestamp so that tarballs only use tar timestamps + - treat ctags as target in makefile + - do not let global variables override certain local repo settings + - print ampersand as proper html entity + - use placeholder for empty commit subject + - format diff view for addition and removal of files + - point links at correct blob from ssdiff +- drop obsoleted patches + cgit-CVE-2011-2711-fix.diff + cgit-CVE-2012-4465-fix.diff + cgit-CVE-2012-4548-fix.diff + +------------------------------------------------------------------- +Mon Oct 29 11:45:50 CET 2012 - [email protected] + +- cgit-CVE-2012-4548-fix.diff: + Fix VUL-0: cgit: arbitrary code / command execution via + improperly quoted arguments (CVE-2012-4548, bnc#787074) + +------------------------------------------------------------------- +Wed Oct 10 15:22:03 CEST 2012 - [email protected] + +- Fix VUL-0: specially-crafted commits can trigger a heap-based + buffer overflow (CVE-2012-4465, bnc#783012) + +------------------------------------------------------------------- +Mon Feb 13 10:44:54 UTC 2012 - [email protected] + +- patch license to follow spdx.org standard + +------------------------------------------------------------------- +Mon Nov 28 14:04:00 CET 2011 - [email protected] + +- Add patch cgit-fix-more-read_tree_recursive-invocations.diff: + + There are more incorrect invocations of read_tree_recursive(), + one example can be seen when visiting one of the 'plain' links + in the tree view (contents of the wrong file are shown). + + This time I did what I should have done last time and checked + and adjusted all invocations of read_tree_recursive(). + +------------------------------------------------------------------- +Tue Nov 22 09:24:35 UTC 2011 - [email protected] + +- Add patch cgit-fix-print-tree.diff: + The cgit build fix with respect to git-1.7.6 is incomplete: in + the file ui-tree.c ls_tree() has been patched to use pathspec + when invoking read_tree_recursive(), but cgit_print_tree() has + no t been touched. + + The resulting problem can be seen when browsing the tree of a cgit + repository: when you "drill down" into subfolders, parts of the + parent folder's contents will appear in the listing. + + This patch adjusts cgit_print_tree() accordingly, which fixes the problem. + +------------------------------------------------------------------- +Fri Oct 14 10:13:03 CEST 2011 - [email protected] + +- split from OBS git repo to an individual repo (since cgit-0.9 + doesn't build with git-1.7.7) +- merged fixes in git repo back to cgit repo +- updated to git 1.7.6.4 + +------------------------------------------------------------------- +Wed Aug 3 21:35:48 UTC 2011 - [email protected] + +- updated to cgit 0.9.0.2 +- fixed potential XSS vulnerability in rename hint +- fixed a segfault with git 1.7.6 + +------------------------------------------------------------------- +Mon Jun 27 18:22:11 CEST 2011 - [email protected] + +- updated to git 1.7.6: see git changelog for more details + +------------------------------------------------------------------- +Mon Jun 6 16:03:34 CEST 2011 - [email protected] + +- updated to git 1.7.5.4: see git changelog for more details + +------------------------------------------------------------------- +Mon Jun 6 12:24:02 CEST 2011 - [email protected] + +- Fix incompatibilies with git 1.7.5.x to build cgit again + +------------------------------------------------------------------- +Wed Jun 1 12:41:12 UTC 2011 - [email protected] + +- Do not buildrequire git, the package builds it's own git and the + buildrequires line only makes backporting harder. + +------------------------------------------------------------------- +Fri May 27 11:54:43 CEST 2011 - [email protected] + +- updated git 1.7.5.3: + See git changelog for more details + +------------------------------------------------------------------- +Mon Mar 28 18:26:17 CEST 2011 - [email protected] + +- updated to git 1.7.4.2: + documentation updates, small bug fixes; + see included Documentation/RelNotes/1.7.4.2.txt +- updated to cgit 0.9: + major updates; using git-1.7.4.x + +------------------------------------------------------------------- +Fri Dec 17 17:51:32 CET 2010 - [email protected] + +- updated to git 1.7.3.3: + In addition to the usual fixes, this release also includes + support for the new "add.ignoreErrors" name given to the + existing "add.ignore-errors" configuration variable. +- updated to git 1.7.3.4: + Among many fixes since v1.7.3.3, it contains a fix to a recently + discovered XSS vulnerability in Gitweb (CVE 2010-3906) + +------------------------------------------------------------------- +Thu Sep 30 08:21:27 CEST 2010 - [email protected] + +- updated to git 1.7.3: + major version update; new options and behavior for git-rebase, + git-clean, git-checkout, git-gui. + See release note: + http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.3.txt +- updated to git 1.7.3.1: + fix git-stash breakages +- Set NO_CROSS_DIRECTORY_HARDLINKS=1 to satisfy BS + +------------------------------------------------------------------- +Fri Aug 20 17:41:32 CEST 2010 - [email protected] + +- fixed more segfaults in cgit. + +------------------------------------------------------------------- +Fri Aug 20 16:29:03 CEST 2010 - [email protected] + +- fix cgit segfault when using git > 1.7 +- update to version 0.8.3.3 +- get debuginfo working, don't strip binaries. + +------------------------------------------------------------------- +Fri Aug 20 10:02:44 CEST 2010 - [email protected] + +- updated to git 1.7.2.2 + +------------------------------------------------------------------- +Thu Jul 29 13:52:36 CEST 2010 - [email protected] + +- fix missing link with libpthread + +------------------------------------------------------------------- +Thu Jul 29 13:43:28 CEST 2010 - [email protected] + +- updated to git 1.7.2.1: minor fixes for git-instaweb, git-web, + git-config. See release note: + http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.2.1.txt + +------------------------------------------------------------------- +Thu Jul 22 12:19:02 CEST 2010 - [email protected] + ++++ 14 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.cgit.1853.new/cgit.changes New: ---- cgit-0.9.1.tar.xz cgit-CVE-2013-2117-disallow-directory-traversal.patch cgit-fix-more-read_tree_recursive-invocations.diff cgit-fix-print-tree.diff cgit-git-1.7.6_build_fix.patch cgit-optflags.diff cgit.changes cgit.spec cgitrc git-1.7.6.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cgit.spec ++++++ # # spec file for package cgit # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define git_version 1.7.6.4 Name: cgit Url: http://git.zx2c4.com/cgit/ Version: 0.9.1 Release: 0 Summary: A web frontend for git repositories License: GPL-2.0 Group: Development/Libraries/C and C++ Source0: %{name}-%{version}.tar.xz Source1: git-%{git_version}.tar.gz Source2: cgitrc Patch: cgit-optflags.diff Patch1: cgit-git-1.7.6_build_fix.patch Patch3: cgit-fix-print-tree.diff Patch4: cgit-fix-more-read_tree_recursive-invocations.diff Patch5: cgit-CVE-2013-2117-disallow-directory-traversal.patch # Requirements for cgit BuildRequires: gnu-crypto BuildRequires: libopenssl-devel BuildRequires: libzip-devel # Requirements for cgitrc man page generation BuildRequires: asciidoc BuildRequires: libxslt BuildRequires: xz BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This is an attempt to create a fast web interface for the git scm, using a builtin cache to decrease server io-pressure. Authors: -------- Lars Hjemli ([email protected]) %prep %setup -q %setup -q -T -D -a 1 %patch -p1 %patch1 -p1 %patch3 %patch4 %patch5 -p1 rm -rf git mv git-%{git_version} git %build make V=1 %install make install DESTDIR="%{buildroot}" CGIT_SCRIPT_PATH=/srv/www/htdocs/cgit make install-man DESTDIR="%{buildroot}" mkdir -p "%{buildroot}"/srv/www/cgi-bin/cgit/ mv "%{buildroot}"/srv/www/{htdocs,cgi-bin}/cgit/cgit.cgi mkdir -p "%{buildroot}"/etc cp %{SOURCE2} "%{buildroot}"/etc/cgitrc %clean rm -rf %{buildroot} %files %defattr(-,root,root) %doc README COPYING %doc %{_mandir}/man5/cgitrc.5.gz %dir /srv/www/htdocs/cgit %dir /srv/www/cgi-bin/cgit /srv/www/cgi-bin/cgit/cgit.cgi /srv/www/htdocs/cgit/cgit.css /srv/www/htdocs/cgit/cgit.png /usr/lib/cgit %config(noreplace) /etc/cgitrc %changelog ++++++ cgit-CVE-2013-2117-disallow-directory-traversal.patch ++++++ >From babf94e04e74123eb658a823213c062663cdadd6 Mon Sep 17 00:00:00 2001 From: Jason A. Donenfeld <[email protected]> Date: Sat, 25 May 2013 17:47:15 +0000 Subject: ui-summary: Disallow directory traversal Using the url= query string, it was possible request arbitrary files from the filesystem if the readme for a given page was set to a filesystem file. The following request would return my /etc/passwd file: http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd http://data.zx2c4.com/cgit-directory-traversal.png This fix uses realpath(3) to canonicalize all paths, and then compares the base components. This fix introduces a subtle timing attack, whereby a client can check whether or not strstr is called using timing measurements in order to determine if a given file exists on the filesystem. This fix also does not account for filesystem race conditions (TOCTOU) in resolving symlinks. Signed-off-by: Jason A. Donenfeld <[email protected]> --- --- ui-summary.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/ui-summary.c +++ b/ui-summary.c @@ -96,6 +96,7 @@ void cgit_print_repo_readme(char *path) * to the directory containing the configured readme. */ if (path) { + char *resolved_base, *resolved_full; slash = strrchr(ctx.repo->readme, '/'); if (!slash) { if (!colon) @@ -104,7 +105,19 @@ void cgit_print_repo_readme(char *path) } tmp = xmalloc(slash - ctx.repo->readme + 1 + strlen(path) + 1); strncpy(tmp, ctx.repo->readme, slash - ctx.repo->readme + 1); + if (!ref) + resolved_base = realpath(tmp, NULL); strcpy(tmp + (slash - ctx.repo->readme + 1), path); + if (!ref) { + resolved_full = realpath(tmp, NULL); + if (!resolved_base || !resolved_full || + strstr(resolved_full, resolved_base) != resolved_full) { + free(tmp); + return; + } + free(resolved_base); + free(resolved_full); + } } else tmp = ctx.repo->readme; ++++++ cgit-fix-more-read_tree_recursive-invocations.diff ++++++ --- ui-blob.c +++ ui-blob.c @@ -37,11 +37,14 @@ int cgit_print_file(char *path, const char *head) return -1; type = sha1_object_info(sha1, &size); if(type == OBJ_COMMIT && path) { + struct pathspec pathspec; commit = lookup_commit_reference(sha1); match_path = path; matched_sha1 = sha1; found_path = 0; - read_tree_recursive(commit->tree, "", 0, 0, paths, walk_tree, NULL); + init_pathspec(&pathspec, paths); + read_tree_recursive(commit->tree, "", 0, 0, &pathspec, walk_tree, NULL); + free_pathspec(&pathspec); if (!found_path) return -1; type = sha1_object_info(sha1, &size); @@ -80,10 +83,13 @@ void cgit_print_blob(const char *hex, char *path, const char *head) type = sha1_object_info(sha1, &size); if((!hex) && type == OBJ_COMMIT && path) { + struct pathspec pathspec; commit = lookup_commit_reference(sha1); match_path = path; matched_sha1 = sha1; - read_tree_recursive(commit->tree, "", 0, 0, paths, walk_tree, NULL); + init_pathspec(&pathspec, paths); + read_tree_recursive(commit->tree, "", 0, 0, &pathspec, walk_tree, NULL); + free_pathspec(&pathspec); type = sha1_object_info(sha1,&size); } --- ui-plain.c +++ ui-plain.c @@ -145,6 +145,7 @@ void cgit_print_plain(struct cgit_context *ctx) unsigned char sha1[20]; struct commit *commit; const char *paths[] = {ctx->qry.path, NULL}; + struct pathspec pathspec; if (!rev) rev = ctx->qry.head; @@ -165,7 +166,9 @@ void cgit_print_plain(struct cgit_context *ctx) } else match_baselen = basedir_len(paths[0]); - read_tree_recursive(commit->tree, "", 0, 0, paths, walk_tree, NULL); + init_pathspec(&pathspec, paths); + read_tree_recursive(commit->tree, "", 0, 0, &pathspec, walk_tree, NULL); + free_pathspec(&pathspec); if (!match) html_status(404, "Not found", 0); else if (match == 2) ++++++ cgit-fix-print-tree.diff ++++++ --- ui-tree.c 2011-11-17 18:00:20.036822908 +0100 +++ ui-tree.c 2011-11-17 18:01:22.396236999 +0100 @@ -262,6 +262,7 @@ unsigned char sha1[20]; struct commit *commit; const char *paths[] = {path, NULL}; + struct pathspec pathspec; if (!rev) rev = ctx.qry.head; @@ -283,6 +284,8 @@ } match_path = path; - read_tree_recursive(commit->tree, "", 0, 0, paths, walk_tree, NULL); + init_pathspec(&pathspec, paths); + read_tree_recursive(commit->tree, "", 0, 0, &pathspec, walk_tree, NULL); + free_pathspec(&pathspec); ls_tail(); } ++++++ cgit-git-1.7.6_build_fix.patch ++++++ --- shared.c | 11 ++++++----- ui-stats.c | 2 +- 2 files changed, 7 insertions(+), 6 deletions(-) Index: cgit-0.9.0.2/shared.c =================================================================== --- cgit-0.9.0.2.orig/shared.c 2011-07-21 16:24:10.000000000 +0200 +++ cgit-0.9.0.2/shared.c 2011-08-04 01:20:42.695017536 +0200 @@ -303,7 +303,7 @@ void cgit_diff_tree(const unsigned char filepair_fn fn, const char *prefix, int ignorews) { struct diff_options opt; - int prefixlen; + struct pathspec_item pitem; diff_setup(&opt); opt.output_format = DIFF_FORMAT_CALLBACK; @@ -315,10 +315,11 @@ void cgit_diff_tree(const unsigned char opt.format_callback = cgit_diff_tree_cb; opt.format_callback_data = fn; if (prefix) { - opt.nr_paths = 1; - opt.paths = &prefix; - prefixlen = strlen(prefix); - opt.pathlens = &prefixlen; + opt.pathspec.nr = 1; + opt.pathspec.raw = &prefix; + pitem.match = prefix; + pitem.len = strlen(prefix); + opt.pathspec.items = &pitem; } diff_setup_done(&opt); Index: cgit-0.9.0.2/ui-stats.c =================================================================== --- cgit-0.9.0.2.orig/ui-stats.c 2011-07-21 16:24:10.000000000 +0200 +++ cgit-0.9.0.2/ui-stats.c 2011-08-04 01:20:42.695017536 +0200 @@ -239,7 +239,7 @@ struct string_list collect_stats(struct init_revisions(&rev, NULL); rev.abbrev = DEFAULT_ABBREV; rev.commit_format = CMIT_FMT_DEFAULT; - rev.no_merges = 1; + rev.max_parents = 1; rev.verbose_header = 1; rev.show_root_diff = 0; setup_revisions(argc, argv, &rev, NULL); Index: cgit-0.9.0.2/ui-tree.c =================================================================== --- cgit-0.9.0.2.orig/ui-tree.c 2011-07-21 16:24:10.000000000 +0200 +++ cgit-0.9.0.2/ui-tree.c 2011-08-04 01:20:58.632061214 +0200 @@ -206,6 +206,8 @@ static void ls_tail() static void ls_tree(const unsigned char *sha1, char *path) { + const char *paths[] = { path, NULL }; + struct pathspec pathspec; struct tree *tree; tree = parse_tree_indirect(sha1); @@ -216,7 +218,9 @@ static void ls_tree(const unsigned char } ls_head(); - read_tree_recursive(tree, "", 0, 1, NULL, ls_item, NULL); + init_pathspec(&pathspec, paths); + read_tree_recursive(tree, "", 0, 1, &pathspec, ls_item, NULL); + free_pathspec(&pathspec); ls_tail(); } ++++++ cgit-optflags.diff ++++++ --- Makefile | 1 + 1 file changed, 1 insertion(+) --- a/Makefile +++ b/Makefile @@ -134,6 +134,7 @@ CFLAGS += -g -Wall -Igit +CFLAGS += $(RPM_OPT_FLAGS) CFLAGS += -DSHA1_HEADER='$(SHA1_HEADER)' CFLAGS += -DCGIT_VERSION='"$(CGIT_VERSION)"' CFLAGS += -DCGIT_CONFIG='"$(CGIT_CONFIG)"' ++++++ cgitrc ++++++ # Enable caching of up to 1000 output entriess cache-size=1000 # Specify some default clone prefixes clone-prefix=ssh://domain.com/var/git # Specify the css url css=/git/cgit.css # Specify the logo url logo=/git/cgit.png # Show extra links for each repository on the index page enable-index-links=1 # Show number of affected files per commit on the log pages enable-log-filecount=1 # Show number of added/removed lines per commit on the log pages enable-log-linecount=1 # Set the title and heading of the repository index page root-title=git repositories # Allow download of tar.gz, tar.bz2 and zip-files snapshots=tar.gz tar.bz2 zip ## ## List of common mimetypes ## mimetype.git=image/git mimetype.html=text/html mimetype.jpg=image/jpeg mimetype.jpeg=image/jpeg mimetype.pdf=application/pdf mimetype.png=image/png mimetype.svg=image/svg+xml ## ## List of repositories. ## PS: Any repositories listed when section is unset will not be ## displayed under a section heading ## PPS: This list could be kept in a different file (e.g. '/etc/cgitrepos') ## and included like this: ## include=/etc/cgitrepos ## # Add your repositories here. # # Examples: # # repo.url=main # repo.path=/var/git/main.git # repo.desc=Main repository # [email protected] # # repo.url=secondary # repo.path=/var/git/ut.git # repo.desc=Secondary repository # [email protected] -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
