Bug#812411: cgit: diff for NMU version 0.11.2.git2.3.2-1.1

Sat, 06 Feb 2016 22:06:28 -0800 

Control: tags 812411 + pending

Hi Alexander,

I've prepared an NMU for cgit (versioned as 0.11.2.git2.3.2-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru cgit-0.11.2.git2.3.2/debian/changelog cgit-0.11.2.git2.3.2/debian/changelog
--- cgit-0.11.2.git2.3.2/debian/changelog	2015-08-11 10:24:04.000000000 +0200
+++ cgit-0.11.2.git2.3.2/debian/changelog	2016-02-07 06:52:10.000000000 +0100
@@ -1,3 +1,15 @@
+cgit (0.11.2.git2.3.2-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-1899: Reflected XSS and header injection in mimetype query
+    string (Closes: #812411)
+  * CVE-2016-1900: Stored cross site scripting and header injection in
+    filename parameter (Closes: #812411)
+  * CVE-2016-1901: Integer overflow resulting in buffer overflow
+    (Closes: #812411)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Wed, 27 Jan 2016 20:54:12 +0100
+
 cgit (0.11.2.git2.3.2-1) unstable; urgency=medium
 
   * [7f8779f] Imported Upstream version 0.11.2.git2.3.2
diff -Nru cgit-0.11.2.git2.3.2/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch cgit-0.11.2.git2.3.2/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch
--- cgit-0.11.2.git2.3.2/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch	1970-01-01 01:00:00.000000000 +0100
+++ cgit-0.11.2.git2.3.2/debian/patches/filter-avoid-integer-overflow-in-authenticate_post.patch	2016-02-07 06:51:56.000000000 +0100
@@ -0,0 +1,34 @@
+From 4458abf64172a62b92810c2293450106e6dfc763 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <ja...@zx2c4.com>
+Date: Tue, 24 Nov 2015 11:28:00 +0100
+Subject: [PATCH] filter: avoid integer overflow in authenticate_post
+
+ctx.env.content_length is an unsigned int, coming from the
+CONTENT_LENGTH environment variable, which is parsed by strtoul. The
+HTTP/1.1 spec says that "any Content-Length greater than or equal to
+zero is a valid value." By storing this into an int, we potentially
+overflow it, resulting in the following bounding check failing, leading
+to a buffer overflow.
+
+Reported-by: Erik Cabetas <e...@cabetas.com>
+Signed-off-by: Jason A. Donenfeld <ja...@zx2c4.com>
+---
+ cgit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cgit.c b/cgit.c
+index 5937b9e..05e5d57 100644
+--- a/cgit.c
++++ b/cgit.c
+@@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function)
+ static inline void authenticate_post(void)
+ {
+ 	char buffer[MAX_AUTHENTICATION_POST_BYTES];
+-	int len;
++	unsigned int len;
+ 
+ 	open_auth_filter("authenticate-post");
+ 	len = ctx.env.content_length;
+-- 
+2.7.0
+
diff -Nru cgit-0.11.2.git2.3.2/debian/patches/series cgit-0.11.2.git2.3.2/debian/patches/series
--- cgit-0.11.2.git2.3.2/debian/patches/series	2015-08-10 22:13:06.000000000 +0200
+++ cgit-0.11.2.git2.3.2/debian/patches/series	2016-02-07 06:51:56.000000000 +0100
@@ -8,3 +8,6 @@
 assume-highlight-version-3-in-filter-script
 add-highlighting-rules-to-cgit.css
 Use-debian-binary-name-rst2html
+ui-blob-Do-not-accept-mimetype-from-user.patch
+ui-shared-prevent-malicious-filename-from-injecting-.patch
+filter-avoid-integer-overflow-in-authenticate_post.patch
diff -Nru cgit-0.11.2.git2.3.2/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch cgit-0.11.2.git2.3.2/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch
--- cgit-0.11.2.git2.3.2/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch	1970-01-01 01:00:00.000000000 +0100
+++ cgit-0.11.2.git2.3.2/debian/patches/ui-blob-Do-not-accept-mimetype-from-user.patch	2016-01-27 20:51:36.000000000 +0100
@@ -0,0 +1,51 @@
+From 1c581a072651524f3b0d91f33e22a42c4166dd96 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <ja...@zx2c4.com>
+Date: Thu, 14 Jan 2016 14:31:13 +0100
+Subject: [PATCH] ui-blob: Do not accept mimetype from user
+
+---
+ cgit.c    | 2 --
+ cgit.h    | 1 -
+ ui-blob.c | 1 -
+ 3 files changed, 4 deletions(-)
+
+diff --git a/cgit.c b/cgit.c
+index 05e5d57..3ed1935 100644
+--- a/cgit.c
++++ b/cgit.c
+@@ -314,8 +314,6 @@ static void querystring_cb(const char *name, const char *value)
+ 		ctx.qry.path = trim_end(value, '/');
+ 	} else if (!strcmp(name, "name")) {
+ 		ctx.qry.name = xstrdup(value);
+-	} else if (!strcmp(name, "mimetype")) {
+-		ctx.qry.mimetype = xstrdup(value);
+ 	} else if (!strcmp(name, "s")) {
+ 		ctx.qry.sort = xstrdup(value);
+ 	} else if (!strcmp(name, "showmsg")) {
+diff --git a/cgit.h b/cgit.h
+index b7eccdd..4b4bcf4 100644
+--- a/cgit.h
++++ b/cgit.h
+@@ -173,7 +173,6 @@ struct cgit_query {
+ 	char *sha2;
+ 	char *path;
+ 	char *name;
+-	char *mimetype;
+ 	char *url;
+ 	char *period;
+ 	int   ofs;
+diff --git a/ui-blob.c b/ui-blob.c
+index 1ded839..2cce11c 100644
+--- a/ui-blob.c
++++ b/ui-blob.c
+@@ -161,7 +161,6 @@ void cgit_print_blob(const char *hex, char *path, const char *head, int file_onl
+ 	}
+ 
+ 	buf[size] = '\0';
+-	ctx.page.mimetype = ctx.qry.mimetype;
+ 	if (!ctx.page.mimetype) {
+ 		if (buffer_is_binary(buf, size))
+ 			ctx.page.mimetype = "application/octet-stream";
+-- 
+2.7.0
+
diff -Nru cgit-0.11.2.git2.3.2/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch cgit-0.11.2.git2.3.2/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch
--- cgit-0.11.2.git2.3.2/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch	1970-01-01 01:00:00.000000000 +0100
+++ cgit-0.11.2.git2.3.2/debian/patches/ui-shared-prevent-malicious-filename-from-injecting-.patch	2016-02-07 06:51:47.000000000 +0100
@@ -0,0 +1,82 @@
+From 513b3863d999f91b47d7e9f26710390db55f9463 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <ja...@zx2c4.com>
+Date: Thu, 14 Jan 2016 14:28:37 +0100
+Subject: [PATCH] ui-shared: prevent malicious filename from injecting headers
+
+---
+ html.c      | 26 ++++++++++++++++++++++++++
+ html.h      |  1 +
+ ui-shared.c |  8 +++++---
+ 3 files changed, 32 insertions(+), 3 deletions(-)
+
+diff --git a/html.c b/html.c
+index 959148c..d89df3a 100644
+--- a/html.c
++++ b/html.c
+@@ -239,6 +239,32 @@ void html_url_arg(const char *txt)
+ 		html(txt);
+ }
+ 
++void html_header_arg_in_quotes(const char *txt)
++{
++	const char *t = txt;
++	while (t && *t) {
++		unsigned char c = *t;
++		const char *e = NULL;
++		if (c == '\\')
++			e = "\\\\";
++		else if (c == '\r')
++			e = "\\r";
++		else if (c == '\n')
++			e = "\\n";
++		else if (c == '"')
++			e = "\\\"";
++		if (e) {
++			html_raw(txt, t - txt);
++			html(e);
++			txt = t + 1;
++		}
++		t++;
++	}
++	if (t != txt)
++		html(txt);
++
++}
++
+ void html_hidden(const char *name, const char *value)
+ {
+ 	html("<input type='hidden' name='");
+diff --git a/html.h b/html.h
+index c554763..c72e845 100644
+--- a/html.h
++++ b/html.h
+@@ -23,6 +23,7 @@ extern void html_ntxt(int len, const char *txt);
+ extern void html_attr(const char *txt);
+ extern void html_url_path(const char *txt);
+ extern void html_url_arg(const char *txt);
++extern void html_header_arg_in_quotes(const char *txt);
+ extern void html_hidden(const char *name, const char *value);
+ extern void html_option(const char *value, const char *text, const char *selected_value);
+ extern void html_intoption(int value, const char *text, int selected_value);
+diff --git a/ui-shared.c b/ui-shared.c
+index 21f581f..54bbde7 100644
+--- a/ui-shared.c
++++ b/ui-shared.c
+@@ -692,9 +692,11 @@ void cgit_print_http_headers(void)
+ 		htmlf("Content-Type: %s\n", ctx.page.mimetype);
+ 	if (ctx.page.size)
+ 		htmlf("Content-Length: %zd\n", ctx.page.size);
+-	if (ctx.page.filename)
+-		htmlf("Content-Disposition: inline; filename=\"%s\"\n",
+-		      ctx.page.filename);
++	if (ctx.page.filename) {
++		html("Content-Disposition: inline; filename=\"");
++		html_header_arg_in_quotes(ctx.page.filename);
++		html("\"\n");
++	}
+ 	if (!ctx.env.authenticated)
+ 		html("Cache-Control: no-cache, no-store\n");
+ 	htmlf("Last-Modified: %s\n", http_date(ctx.page.modified));
+-- 
+2.7.0
+

Reply via email to