Control: tags 905382 + pending
Dear maintainer, hi Peter, hi Alexander I've prepared an NMU for cgit (versioned as 1.1+git2.10.2-3.1) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. I choosed delayed/10 since I'm not strictly follwoing the advice and good practice on NMUs, as the bug was just from yesterday, and defintively not enough time for maintainer to react. I have repared an update for stretch-security for the issue and wanted to avoid the discrepancy to buster/sid. I will cancel the NMU if you diagree with my approach on straight doing a NMU. Regards Salvatore
diff -Nru cgit-1.1+git2.10.2/debian/changelog cgit-1.1+git2.10.2/debian/changelog --- cgit-1.1+git2.10.2/debian/changelog 2017-01-06 06:08:21.000000000 +0100 +++ cgit-1.1+git2.10.2/debian/changelog 2018-08-04 12:27:48.000000000 +0200 @@ -1,3 +1,10 @@ +cgit (1.1+git2.10.2-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * clone: fix directory traversal (CVE-2018-14912) (Closes: #905382) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 04 Aug 2018 12:27:48 +0200 + cgit (1.1+git2.10.2-3) unstable; urgency=medium * Build-depend on asciidoc-base | asciidoc. diff -Nru cgit-1.1+git2.10.2/debian/patches/clone-fix-directory-traversal.patch cgit-1.1+git2.10.2/debian/patches/clone-fix-directory-traversal.patch --- cgit-1.1+git2.10.2/debian/patches/clone-fix-directory-traversal.patch 1970-01-01 01:00:00.000000000 +0100 +++ cgit-1.1+git2.10.2/debian/patches/clone-fix-directory-traversal.patch 2018-08-04 12:26:43.000000000 +0200 @@ -0,0 +1,65 @@ +From: "Jason A. Donenfeld" <ja...@zx2c4.com> +Date: Fri, 3 Aug 2018 15:46:11 +0200 +Subject: clone: fix directory traversal +Origin: https://git.zx2c4.com/cgit/commit/?id=53efaf30b50f095cad8c160488c74bba3e3b2680 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-14912 +Bug-Debian: https://bugs.debian.org/905382 +Bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1627 + +This was introduced in the initial version of this code, way back when +in 2008. + +$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd +root:x:0:0:root:/root:/bin/sh +... + +Signed-off-by: Jason A. Donenfeld <ja...@zx2c4.com> +Reported-by: Jann Horn <ja...@google.com> +--- + ui-clone.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/ui-clone.c b/ui-clone.c +index 2c1ac3d..6ba8f36 100644 +--- a/ui-clone.c ++++ b/ui-clone.c +@@ -92,17 +92,32 @@ void cgit_clone_info(void) + + void cgit_clone_objects(void) + { +- if (!ctx.qry.path) { +- cgit_print_error_page(400, "Bad request", "Bad request"); +- return; +- } ++ char *p; ++ ++ if (!ctx.qry.path) ++ goto err; + + if (!strcmp(ctx.qry.path, "info/packs")) { + print_pack_info(); + return; + } + ++ /* Avoid directory traversal by forbidding "..", but also work around ++ * other funny business by just specifying a fairly strict format. For ++ * example, now we don't have to stress out about the Cygwin port. ++ */ ++ for (p = ctx.qry.path; *p; ++p) { ++ if (*p == '.' && *(p + 1) == '.') ++ goto err; ++ if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-') ++ goto err; ++ } ++ + send_file(git_path("objects/%s", ctx.qry.path)); ++ return; ++ ++err: ++ cgit_print_error_page(400, "Bad request", "Bad request"); + } + + void cgit_clone_head(void) +-- +2.18.0 + diff -Nru cgit-1.1+git2.10.2/debian/patches/series cgit-1.1+git2.10.2/debian/patches/series --- cgit-1.1+git2.10.2/debian/patches/series 2016-11-25 22:02:50.000000000 +0100 +++ cgit-1.1+git2.10.2/debian/patches/series 2018-08-04 12:26:56.000000000 +0200 @@ -10,3 +10,4 @@ syntax-highlighting.patch fix-crash-when-using-path-limit.patch link-with-ldl-on-gnu-hurd.patch +clone-fix-directory-traversal.patch
