[Pkg-cgit-commits] [pkg-cgit] 39/49: Imported Debian patch 0.11.2.git2.3.2-1.1
Peter Colberg
peter at colberg.org
Thu Jun 16 01:49:19 UTC 2016
This is an automated email from the git hooks/post-receive script.
pc-guest pushed a commit to branch master
in repository pkg-cgit.
commit f615bb137c208d6eb96170510ba7c0c5b88e2113
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Wed Jan 27 20:54:12 2016 +0100
Imported Debian patch 0.11.2.git2.3.2-1.1
---
debian/changelog | 12 ++++
...oid-integer-overflow-in-authenticate_post.patch | 34 +++++++++
debian/patches/series | 3 +
.../ui-blob-Do-not-accept-mimetype-from-user.patch | 51 ++++++++++++++
...revent-malicious-filename-from-injecting-.patch | 82 ++++++++++++++++++++++
5 files changed, 182 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index bc978cd..e011e3d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+cgit (0.11.2.git2.3.2-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2016-1899: Reflected XSS and header injection in mimetype query
+ string (Closes: #812411)
+ * CVE-2016-1900: Stored cross site scripting and header injection in
+ filename parameter (Closes: #812411)
+ * CVE-2016-1901: Integer overflow resulting in buffer overflow
+ (Closes: #812411)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Wed, 27 Jan 2016 20:54:12 +0100
+
cgit (0.11.2.git2.3.2-1) unstable; urgency=medium
* [7f8779f] Imported Upstream version 0.11.2.git2.3.2
diff --git a/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch b/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch
new file mode 100644
index 0000000..20cb966
--- /dev/null
+++ b/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch
@@ -0,0 +1,34 @@
+From 4458abf64172a62b92810c2293450106e6dfc763 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason at zx2c4.com>
+Date: Tue, 24 Nov 2015 11:28:00 +0100
+Subject: [PATCH] filter: avoid integer overflow in authenticate_post
+
+ctx.env.content_length is an unsigned int, coming from the
+CONTENT_LENGTH environment variable, which is parsed by strtoul. The
+HTTP/1.1 spec says that "any Content-Length greater than or equal to
+zero is a valid value." By storing this into an int, we potentially
+overflow it, resulting in the following bounding check failing, leading
+to a buffer overflow.
+
+Reported-by: Erik Cabetas <Erik at cabetas.com>
+Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
+---
+ cgit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cgit.c b/cgit.c
+index 5937b9e..05e5d57 100644
+--- a/cgit.c
++++ b/cgit.c
+@@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function)
+ static inline void authenticate_post(void)
+ {
+ char buffer[MAX_AUTHENTICATION_POST_BYTES];
+- int len;
++ unsigned int len;
+
+ open_auth_filter("authenticate-post");
+ len = ctx.env.content_length;
+--
+2.7.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 972d846..924d0a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,6 @@ hardening
assume-highlight-version-3-in-filter-script
add-highlighting-rules-to-cgit.css
Use-debian-binary-name-rst2html
+ui-blob-Do-not-accept-mimetype-from-user.patch
+ui-shared-prevent-malicious-filename-from-injecting-.patch
+filter-avoid-integer-overflow-in-authenticate_post.patch
diff --git a/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch b/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch
new file mode 100644
index 0000000..8523274
--- /dev/null
+++ b/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch
@@ -0,0 +1,51 @@
+From 1c581a072651524f3b0d91f33e22a42c4166dd96 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason at zx2c4.com>
+Date: Thu, 14 Jan 2016 14:31:13 +0100
+Subject: [PATCH] ui-blob: Do not accept mimetype from user
+
+---
+ cgit.c | 2 --
+ cgit.h | 1 -
+ ui-blob.c | 1 -
+ 3 files changed, 4 deletions(-)
+
+diff --git a/cgit.c b/cgit.c
+index 05e5d57..3ed1935 100644
+--- a/cgit.c
++++ b/cgit.c
+@@ -314,8 +314,6 @@ static void querystring_cb(const char *name, const char *value)
+ ctx.qry.path = trim_end(value, '/');
+ } else if (!strcmp(name, "name")) {
+ ctx.qry.name = xstrdup(value);
+- } else if (!strcmp(name, "mimetype")) {
+- ctx.qry.mimetype = xstrdup(value);
+ } else if (!strcmp(name, "s")) {
+ ctx.qry.sort = xstrdup(value);
+ } else if (!strcmp(name, "showmsg")) {
+diff --git a/cgit.h b/cgit.h
+index b7eccdd..4b4bcf4 100644
+--- a/cgit.h
++++ b/cgit.h
+@@ -173,7 +173,6 @@ struct cgit_query {
+ char *sha2;
+ char *path;
+ char *name;
+- char *mimetype;
+ char *url;
+ char *period;
+ int ofs;
+diff --git a/ui-blob.c b/ui-blob.c
+index 1ded839..2cce11c 100644
+--- a/ui-blob.c
++++ b/ui-blob.c
+@@ -161,7 +161,6 @@ void cgit_print_blob(const char *hex, char *path, const char *head, int file_onl
+ }
+
+ buf[size] = '\0';
+- ctx.page.mimetype = ctx.qry.mimetype;
+ if (!ctx.page.mimetype) {
+ if (buffer_is_binary(buf, size))
+ ctx.page.mimetype = "application/octet-stream";
+--
+2.7.0
+
diff --git a/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch b/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch
new file mode 100644
index 0000000..ea81853
--- /dev/null
+++ b/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch
@@ -0,0 +1,82 @@
+From 513b3863d999f91b47d7e9f26710390db55f9463 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason at zx2c4.com>
+Date: Thu, 14 Jan 2016 14:28:37 +0100
+Subject: [PATCH] ui-shared: prevent malicious filename from injecting headers
+
+---
+ html.c | 26 ++++++++++++++++++++++++++
+ html.h | 1 +
+ ui-shared.c | 8 +++++---
+ 3 files changed, 32 insertions(+), 3 deletions(-)
+
+diff --git a/html.c b/html.c
+index 959148c..d89df3a 100644
+--- a/html.c
++++ b/html.c
+@@ -239,6 +239,32 @@ void html_url_arg(const char *txt)
+ html(txt);
+ }
+
++void html_header_arg_in_quotes(const char *txt)
++{
++ const char *t = txt;
++ while (t && *t) {
++ unsigned char c = *t;
++ const char *e = NULL;
++ if (c == '\\')
++ e = "\\\\";
++ else if (c == '\r')
++ e = "\\r";
++ else if (c == '\n')
++ e = "\\n";
++ else if (c == '"')
++ e = "\\\"";
++ if (e) {
++ html_raw(txt, t - txt);
++ html(e);
++ txt = t + 1;
++ }
++ t++;
++ }
++ if (t != txt)
++ html(txt);
++
++}
++
+ void html_hidden(const char *name, const char *value)
+ {
+ html("<input type='hidden' name='");
+diff --git a/html.h b/html.h
+index c554763..c72e845 100644
+--- a/html.h
++++ b/html.h
+@@ -23,6 +23,7 @@ extern void html_ntxt(int len, const char *txt);
+ extern void html_attr(const char *txt);
+ extern void html_url_path(const char *txt);
+ extern void html_url_arg(const char *txt);
++extern void html_header_arg_in_quotes(const char *txt);
+ extern void html_hidden(const char *name, const char *value);
+ extern void html_option(const char *value, const char *text, const char *selected_value);
+ extern void html_intoption(int value, const char *text, int selected_value);
+diff --git a/ui-shared.c b/ui-shared.c
+index 21f581f..54bbde7 100644
+--- a/ui-shared.c
++++ b/ui-shared.c
+@@ -692,9 +692,11 @@ void cgit_print_http_headers(void)
+ htmlf("Content-Type: %s\n", ctx.page.mimetype);
+ if (ctx.page.size)
+ htmlf("Content-Length: %zd\n", ctx.page.size);
+- if (ctx.page.filename)
+- htmlf("Content-Disposition: inline; filename=\"%s\"\n",
+- ctx.page.filename);
++ if (ctx.page.filename) {
++ html("Content-Disposition: inline; filename=\"");
++ html_header_arg_in_quotes(ctx.page.filename);
++ html("\"\n");
++ }
+ if (!ctx.env.authenticated)
+ html("Cache-Control: no-cache, no-store\n");
+ htmlf("Last-Modified: %s\n", http_date(ctx.page.modified));
+--
+2.7.0
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-cgit/pkg-cgit.git
More information about the Pkg-cgit-commits
mailing list