[Pkg-cgit-commits] [pkg-cgit] 39/49: Imported Debian patch 0.11.2.git2.3.2-1.1

Peter Colberg peter at colberg.org
Thu Jun 16 01:49:19 UTC 2016 

This is an automated email from the git hooks/post-receive script.

pc-guest pushed a commit to branch master
in repository pkg-cgit.

commit f615bb137c208d6eb96170510ba7c0c5b88e2113
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Wed Jan 27 20:54:12 2016 +0100

    Imported Debian patch 0.11.2.git2.3.2-1.1
---
 debian/changelog                                   | 12 ++++
 ...oid-integer-overflow-in-authenticate_post.patch | 34 +++++++++
 debian/patches/series                              |  3 +
 .../ui-blob-Do-not-accept-mimetype-from-user.patch | 51 ++++++++++++++
 ...revent-malicious-filename-from-injecting-.patch | 82 ++++++++++++++++++++++
 5 files changed, 182 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index bc978cd..e011e3d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+cgit (0.11.2.git2.3.2-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-1899: Reflected XSS and header injection in mimetype query
+    string (Closes: #812411)
+  * CVE-2016-1900: Stored cross site scripting and header injection in
+    filename parameter (Closes: #812411)
+  * CVE-2016-1901: Integer overflow resulting in buffer overflow
+    (Closes: #812411)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Wed, 27 Jan 2016 20:54:12 +0100
+
 cgit (0.11.2.git2.3.2-1) unstable; urgency=medium
 
   * [7f8779f] Imported Upstream version 0.11.2.git2.3.2
diff --git a/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch b/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch
new file mode 100644
index 0000000..20cb966
--- /dev/null
+++ b/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch
@@ -0,0 +1,34 @@
+From 4458abf64172a62b92810c2293450106e6dfc763 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason at zx2c4.com>
+Date: Tue, 24 Nov 2015 11:28:00 +0100
+Subject: [PATCH] filter: avoid integer overflow in authenticate_post
+
+ctx.env.content_length is an unsigned int, coming from the
+CONTENT_LENGTH environment variable, which is parsed by strtoul. The
+HTTP/1.1 spec says that "any Content-Length greater than or equal to
+zero is a valid value." By storing this into an int, we potentially
+overflow it, resulting in the following bounding check failing, leading
+to a buffer overflow.
+
+Reported-by: Erik Cabetas <Erik at cabetas.com>
+Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
+---
+ cgit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cgit.c b/cgit.c
+index 5937b9e..05e5d57 100644
+--- a/cgit.c
++++ b/cgit.c
+@@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function)
+ static inline void authenticate_post(void)
+ {
+ 	char buffer[MAX_AUTHENTICATION_POST_BYTES];
+-	int len;
++	unsigned int len;
+ 
+ 	open_auth_filter("authenticate-post");
+ 	len = ctx.env.content_length;
+-- 
+2.7.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 972d846..924d0a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,6 @@ hardening
 assume-highlight-version-3-in-filter-script
 add-highlighting-rules-to-cgit.css
 Use-debian-binary-name-rst2html
+ui-blob-Do-not-accept-mimetype-from-user.patch
+ui-shared-prevent-malicious-filename-from-injecting-.patch
+filter-avoid-integer-overflow-in-authenticate_post.patch
diff --git a/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch b/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch
new file mode 100644
index 0000000..8523274
--- /dev/null
+++ b/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch
@@ -0,0 +1,51 @@
+From 1c581a072651524f3b0d91f33e22a42c4166dd96 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason at zx2c4.com>
+Date: Thu, 14 Jan 2016 14:31:13 +0100
+Subject: [PATCH] ui-blob: Do not accept mimetype from user
+
+---
+ cgit.c    | 2 --
+ cgit.h    | 1 -
+ ui-blob.c | 1 -
+ 3 files changed, 4 deletions(-)
+
+diff --git a/cgit.c b/cgit.c
+index 05e5d57..3ed1935 100644
+--- a/cgit.c
++++ b/cgit.c
+@@ -314,8 +314,6 @@ static void querystring_cb(const char *name, const char *value)
+ 		ctx.qry.path = trim_end(value, '/');
+ 	} else if (!strcmp(name, "name")) {
+ 		ctx.qry.name = xstrdup(value);
+-	} else if (!strcmp(name, "mimetype")) {
+-		ctx.qry.mimetype = xstrdup(value);
+ 	} else if (!strcmp(name, "s")) {
+ 		ctx.qry.sort = xstrdup(value);
+ 	} else if (!strcmp(name, "showmsg")) {
+diff --git a/cgit.h b/cgit.h
+index b7eccdd..4b4bcf4 100644
+--- a/cgit.h
++++ b/cgit.h
+@@ -173,7 +173,6 @@ struct cgit_query {
+ 	char *sha2;
+ 	char *path;
+ 	char *name;
+-	char *mimetype;
+ 	char *url;
+ 	char *period;
+ 	int   ofs;
+diff --git a/ui-blob.c b/ui-blob.c
+index 1ded839..2cce11c 100644
+--- a/ui-blob.c
++++ b/ui-blob.c
+@@ -161,7 +161,6 @@ void cgit_print_blob(const char *hex, char *path, const char *head, int file_onl
+ 	}
+ 
+ 	buf[size] = '\0';
+-	ctx.page.mimetype = ctx.qry.mimetype;
+ 	if (!ctx.page.mimetype) {
+ 		if (buffer_is_binary(buf, size))
+ 			ctx.page.mimetype = "application/octet-stream";
+-- 
+2.7.0
+
diff --git a/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch b/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch
new file mode 100644
index 0000000..ea81853
--- /dev/null
+++ b/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch
@@ -0,0 +1,82 @@
+From 513b3863d999f91b47d7e9f26710390db55f9463 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason at zx2c4.com>
+Date: Thu, 14 Jan 2016 14:28:37 +0100
+Subject: [PATCH] ui-shared: prevent malicious filename from injecting headers
+
+---
+ html.c      | 26 ++++++++++++++++++++++++++
+ html.h      |  1 +
+ ui-shared.c |  8 +++++---
+ 3 files changed, 32 insertions(+), 3 deletions(-)
+
+diff --git a/html.c b/html.c
+index 959148c..d89df3a 100644
+--- a/html.c
++++ b/html.c
+@@ -239,6 +239,32 @@ void html_url_arg(const char *txt)
+ 		html(txt);
+ }
+ 
++void html_header_arg_in_quotes(const char *txt)
++{
++	const char *t = txt;
++	while (t && *t) {
++		unsigned char c = *t;
++		const char *e = NULL;
++		if (c == '\\')
++			e = "\\\\";
++		else if (c == '\r')
++			e = "\\r";
++		else if (c == '\n')
++			e = "\\n";
++		else if (c == '"')
++			e = "\\\"";
++		if (e) {
++			html_raw(txt, t - txt);
++			html(e);
++			txt = t + 1;
++		}
++		t++;
++	}
++	if (t != txt)
++		html(txt);
++
++}
++
+ void html_hidden(const char *name, const char *value)
+ {
+ 	html("<input type='hidden' name='");
+diff --git a/html.h b/html.h
+index c554763..c72e845 100644
+--- a/html.h
++++ b/html.h
+@@ -23,6 +23,7 @@ extern void html_ntxt(int len, const char *txt);
+ extern void html_attr(const char *txt);
+ extern void html_url_path(const char *txt);
+ extern void html_url_arg(const char *txt);
++extern void html_header_arg_in_quotes(const char *txt);
+ extern void html_hidden(const char *name, const char *value);
+ extern void html_option(const char *value, const char *text, const char *selected_value);
+ extern void html_intoption(int value, const char *text, int selected_value);
+diff --git a/ui-shared.c b/ui-shared.c
+index 21f581f..54bbde7 100644
+--- a/ui-shared.c
++++ b/ui-shared.c
+@@ -692,9 +692,11 @@ void cgit_print_http_headers(void)
+ 		htmlf("Content-Type: %s\n", ctx.page.mimetype);
+ 	if (ctx.page.size)
+ 		htmlf("Content-Length: %zd\n", ctx.page.size);
+-	if (ctx.page.filename)
+-		htmlf("Content-Disposition: inline; filename=\"%s\"\n",
+-		      ctx.page.filename);
++	if (ctx.page.filename) {
++		html("Content-Disposition: inline; filename=\"");
++		html_header_arg_in_quotes(ctx.page.filename);
++		html("\"\n");
++	}
+ 	if (!ctx.env.authenticated)
+ 		html("Cache-Control: no-cache, no-store\n");
+ 	htmlf("Last-Modified: %s\n", http_date(ctx.page.modified));
+-- 
+2.7.0
+

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-cgit/pkg-cgit.git

More information about the Pkg-cgit-commits mailing list