diff options
-rw-r--r-- | 0001-clone-fix-directory-traversal.patch | 62 | ||||
-rw-r--r-- | Makefile | 4 | ||||
-rw-r--r-- | README.SELinux | 21 | ||||
-rw-r--r-- | cgit.spec | 122 |
4 files changed, 162 insertions, 47 deletions
diff --git a/0001-clone-fix-directory-traversal.patch b/0001-clone-fix-directory-traversal.patch new file mode 100644 index 0000000..9f647f2 --- /dev/null +++ b/0001-clone-fix-directory-traversal.patch @@ -0,0 +1,62 @@ +From 53efaf30b50f095cad8c160488c74bba3e3b2680 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" <Jason@zx2c4.com> +Date: Fri, 3 Aug 2018 15:46:11 +0200 +Subject: [PATCH] clone: fix directory traversal + +This was introduced in the initial version of this code, way back when +in 2008. + +$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd +root:x:0:0:root:/root:/bin/sh +... + +Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> +Reported-by: Jann Horn <jannh@google.com> +--- + ui-clone.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/ui-clone.c b/ui-clone.c +index 2c1ac3d..6ba8f36 100644 +--- a/ui-clone.c ++++ b/ui-clone.c +@@ -92,17 +92,32 @@ void cgit_clone_info(void) + + void cgit_clone_objects(void) + { +- if (!ctx.qry.path) { +- cgit_print_error_page(400, "Bad request", "Bad request"); +- return; +- } ++ char *p; ++ ++ if (!ctx.qry.path) ++ goto err; + + if (!strcmp(ctx.qry.path, "info/packs")) { + print_pack_info(); + return; + } + ++ /* Avoid directory traversal by forbidding "..", but also work around ++ * other funny business by just specifying a fairly strict format. For ++ * example, now we don't have to stress out about the Cygwin port. ++ */ ++ for (p = ctx.qry.path; *p; ++p) { ++ if (*p == '.' && *(p + 1) == '.') ++ goto err; ++ if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-') ++ goto err; ++ } ++ + send_file(git_path("objects/%s", ctx.qry.path)); ++ return; ++ ++err: ++ cgit_print_error_page(400, "Bad request", "Bad request"); + } + + void cgit_clone_head(void) +-- +2.18.0 + diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..1e65467 --- /dev/null +++ b/Makefile @@ -0,0 +1,4 @@ +SRCDIR := $(shell pwd) +NAME := $(shell basename $(SRCDIR)) +include ../common/Makefile + diff --git a/README.SELinux b/README.SELinux new file mode 100644 index 0000000..1f63c62 --- /dev/null +++ b/README.SELinux @@ -0,0 +1,21 @@ +If you use SELinux, you need to ensure that the httpd_enable_cgi boolean is +set properly. This can be done via the command line, e.g.: + + # setsebool -P httpd_enable_cgi 1 + +Or you can use the graphical tool system-config-selinux, via System -> +Administration -> SELinux Management on the Gnome menu. + +Additionally, the git repositories need to be readable by the cgi. This is +handled automatically for repositories in the default path, /var/lib/git. If +your repositories are in a different path, /srv/git, for example, you can set +the proper context using semanage: + + # semanage fcontext -a -t @CGIT_CONTEXT@ "/srv/git(/.*)?" + +If you have other confined daemons that need to access the git repositories, +you may want to use public_content_t, or public_content_rw_t instead. + +Then use restorecon to update the contexts: + + # restorecon -RF /srv/git @@ -1,3 +1,14 @@ +# remirepo spec file for cgit, from: +# +# Fedora spec file for cgit +# +# License: MIT +# http://opensource.org/licenses/MIT +# +# Please preserve changelog entries +# + + # Review bug: https://bugzilla.redhat.com/479723 %global gitver 2.10.2 @@ -8,11 +19,6 @@ %global syntax_highlight 1 -%if 0%{?rhel} && 0%{?rhel} <= 5 -# On el5, manual actions are needed to make syntax highlighting work -%global syntax_highlight 0 -%endif - # Temporarily -- in epel-7-ppc64 is not highlight package currently, #1117261 %if 0%{?rhel} == 7 %ifarch ppc64 @@ -20,48 +26,33 @@ %endif %endif -%global make_cgit \ -export CFLAGS="%{optflags}" \ -export LDFLAGS="%{?__global_ldflags}" \ -make V=1 %{?_smp_mflags} \\\ - DESTDIR=%{buildroot} \\\ - INSTALL="install -p" \\\ - CACHE_ROOT=%{cachedir} \\\ - CGIT_SCRIPT_PATH=%{scriptdir} \\\ - CGIT_SCRIPT_NAME=cgit \\\ - CGIT_DATA_PATH=%{cgitdata} \\\ - docdir=%{docdir} \\\ - filterdir=%{filterdir} \\\ - prefix=%{_prefix} - Name: cgit Version: 1.1 -Release: 3%{?dist} +Release: 11%{?dist} Summary: A fast web interface for git Group: Development/Tools License: GPLv2 -URL: http://git.zx2c4.com/cgit/ -Source0: http://git.zx2c4.com/cgit/snapshot/%{name}-%{version}.tar.xz -Source1: http://www.kernel.org/pub/software/scm/git//git-%{gitver}.tar.xz +URL: https://git.zx2c4.com/cgit/ +Source0: https://git.zx2c4.com/cgit/snapshot/%{name}-%{version}.tar.xz +Source1: https://www.kernel.org/pub/software/scm/git//git-%{gitver}.tar.xz Source2: cgitrc Source3: README.SELinux +# https://git.zx2c4.com/cgit/commit/?id=53efaf30b +Patch0: 0001-clone-fix-directory-traversal.patch + # Security guys might try to repoquery for this. Provides: bundled(git) = %gitver %if %{syntax_highlight} -# On all but RHEL5 highlight is version 3. +# All supported releases use hightlight version 3. Patch1: cgit-0.9.1-highlightv3.patch BuildRequires: highlight %endif -BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRequires: asciidoc -%if 0%{?rhel} && 0%{?rhel} <= 5 -# These are missing asciidoc requirements -BuildRequires: docbook-style-xsl libxslt -%endif +BuildRequires: gcc %if 0%{?fedora} || 0%{?rhel} >= 6 BuildRequires: libcurl-devel %else @@ -69,14 +60,13 @@ BuildRequires: curl-devel %endif BuildRequires: openssl-devel BuildRequires: lua-devel +BuildRequires: make %if 0%{?fedora} # just to be able to install httpd configuration correctly, FC21+ Requires: httpd-filesystem -Requires: webserver -%else -Requires: httpd %endif +Requires: webserver %description @@ -84,6 +74,7 @@ Cgit is a fast web interface for git. It uses caching to increase performance. %prep %setup -q -a 1 +%patch0 -p1 %if %{syntax_highlight} %patch1 -p1 %endif @@ -91,7 +82,30 @@ Cgit is a fast web interface for git. It uses caching to increase performance. # setup the git dir rm -rf git mv git-%{gitver} git -sed -i 's|^\(CFLAGS = \).*|\1%{optflags}|' git/Makefile + +# Use the same options for every invocation of 'make'. +# Otherwise it will rebuild in %%install due to flags changes. +cat << \EOF > cgit.conf +V = 1 +CFLAGS = %{optflags} +LDFLAGS = %{?__global_ldflags} +DESTDIR = %{buildroot} +INSTALL = install -p +CACHE_ROOT = %{cachedir} +CGIT_SCRIPT_PATH = %{scriptdir} +CGIT_SCRIPT_NAME = cgit +CGIT_DATA_PATH = %{cgitdata} +docdir = %{docdir} +filterdir = %{filterdir} +prefix = %{_prefix} +EOF + +# git build flags +cat << \EOF > git/config.mak +V = 1 +CFLAGS = %{optflags} +LDFLAGS = %{?__global_ldflags} +EOF # I tried to use matchpathcon, but we would need to require # selinux-policy-targeted probably. @@ -100,12 +114,6 @@ build_dist=%{?fedora:fedora}%{?rhel:rhel} build_ver=%{?fedora}%{?rhel} cgit_context=git_sys_content_t -case "$build_dist-$build_ver" in - rhel-5) - cgit_context=httpd_sys_content_t - ;; -esac - sed -e "s|@CGIT_CONTEXT@|$cgit_context|g" \ %{SOURCE3} > README.SELinux @@ -121,10 +129,10 @@ EOF %build -%{make_cgit} +make %{?_smp_mflags} # Something in the a2x chain doesn't like running in parallel. :/ -%{make_cgit} -j1 doc-man doc-html +make -j1 doc-man doc-html %if %{syntax_highlight} # el5 highlight doesn't know --print-style @@ -133,22 +141,23 @@ highlight --print-style --style-outfile=stdout >> cgit.css %install -rm -rf %{buildroot} -%{make_cgit} install install-man +make DESTDIR=%{buildroot} install install-man install -d -m0755 %{buildroot}%{_sysconfdir}/httpd/conf.d install -p -m0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/cgitrc install -p -m0644 httpd.conf %{buildroot}%{_sysconfdir}/httpd/conf.d/cgit.conf install -d -m0755 %{buildroot}%{cachedir} -%clean -rm -rf %{buildroot} - %files -%defattr(-,root,root,-) %doc COPYING README* *.html %config(noreplace) %{_sysconfdir}/cgitrc +%if 0%{?rhel} && 0%{?rhel} <= 7 +# Keep those two httpd-owned directories listed here until httpd-filesystem +# becomes part of EPEL. See rhbz#1138599 for more details. +%dir %{_sysconfdir}/httpd +%dir %{_sysconfdir}/httpd/conf.d +%endif %config(noreplace) %{_sysconfdir}/httpd/conf.d/cgit.conf %dir %attr(-,apache,root) %{cachedir} %{cgitdata} @@ -158,6 +167,25 @@ rm -rf %{buildroot} %changelog +* Fri Aug 24 2018 Remi Collet <remi@remirepo.net> - 1.1-11 +- rebuild for remirepo, synced with EPEL-7: + +* Fri Aug 03 2018 Todd Zullinger <tmz@pobox.com> - 1.1-11 +- Fix directory traversal vulnerability + +* Sun Feb 18 2018 Todd Zullinger <tmz@pobox.com> - 1.1-10 +- Use https for source URLs +- Remove el5 conditionals +- Use cgit.conf and config.mak for cgit/git build options +- Drop obsolete %%{buildroot} cleanup +- Add gcc and make BuildRequires + +* Mon Jul 24 2017 Todd Zullinger <tmz@pobox.com> - 1.1-5 +- Require webserver on all dists (#1468839) + +* Mon Jul 24 2017 Kevin Fenzi <kevin@scrye.com> - 1.1-4 +- Fix httpd requirements on epel7. Fixes bug #1468839 + * Tue Mar 07 2017 Pavel Raiskup <praiskup@redhat.com> - 1.1-3 - suggest using correct selinux context (rhbz#1429790) |