From d0dff73e8fdfad7591475740b23b97a8df223cc8 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Fri, 24 Aug 2018 09:02:23 +0200
Subject: sync with fedora spec (epel7)
---
0001-clone-fix-directory-traversal.patch | 62 ++++++++++++++++
Makefile | 4 +
README.SELinux | 21 ++++++
cgit.spec | 122 +++++++++++++++++++------------
4 files changed, 162 insertions(+), 47 deletions(-)
create mode 100644 0001-clone-fix-directory-traversal.patch
create mode 100644 Makefile
create mode 100644 README.SELinux
diff --git a/0001-clone-fix-directory-traversal.patch b/0001-clone-fix-directory-traversal.patch
new file mode 100644
index 0000000..9f647f2
--- /dev/null
+++ b/0001-clone-fix-directory-traversal.patch
@@ -0,0 +1,62 @@
+From 53efaf30b50f095cad8c160488c74bba3e3b2680 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 3 Aug 2018 15:46:11 +0200
+Subject: [PATCH] clone: fix directory traversal
+
+This was introduced in the initial version of this code, way back when
+in 2008.
+
+$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd
+root:x:0:0:root:/root:/bin/sh
+...
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Reported-by: Jann Horn <jannh@google.com>
+---
+ ui-clone.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/ui-clone.c b/ui-clone.c
+index 2c1ac3d..6ba8f36 100644
+--- a/ui-clone.c
++++ b/ui-clone.c
+@@ -92,17 +92,32 @@ void cgit_clone_info(void)
+
+ void cgit_clone_objects(void)
+ {
+- if (!ctx.qry.path) {
+- cgit_print_error_page(400, "Bad request", "Bad request");
+- return;
+- }
++ char *p;
++
++ if (!ctx.qry.path)
++ goto err;
+
+ if (!strcmp(ctx.qry.path, "info/packs")) {
+ print_pack_info();
+ return;
+ }
+
++ /* Avoid directory traversal by forbidding "..", but also work around
++ * other funny business by just specifying a fairly strict format. For
++ * example, now we don't have to stress out about the Cygwin port.
++ */
++ for (p = ctx.qry.path; *p; ++p) {
++ if (*p == '.' && *(p + 1) == '.')
++ goto err;
++ if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-')
++ goto err;
++ }
++
+ send_file(git_path("objects/%s", ctx.qry.path));
++ return;
++
++err:
++ cgit_print_error_page(400, "Bad request", "Bad request");
+ }
+
+ void cgit_clone_head(void)
+--
+2.18.0
+
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..1e65467
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,4 @@
+SRCDIR := $(shell pwd)
+NAME := $(shell basename $(SRCDIR))
+include ../common/Makefile
+
diff --git a/README.SELinux b/README.SELinux
new file mode 100644
index 0000000..1f63c62
--- /dev/null
+++ b/README.SELinux
@@ -0,0 +1,21 @@
+If you use SELinux, you need to ensure that the httpd_enable_cgi boolean is
+set properly. This can be done via the command line, e.g.:
+
+ # setsebool -P httpd_enable_cgi 1
+
+Or you can use the graphical tool system-config-selinux, via System ->
+Administration -> SELinux Management on the Gnome menu.
+
+Additionally, the git repositories need to be readable by the cgi. This is
+handled automatically for repositories in the default path, /var/lib/git. If
+your repositories are in a different path, /srv/git, for example, you can set
+the proper context using semanage:
+
+ # semanage fcontext -a -t @CGIT_CONTEXT@ "/srv/git(/.*)?"
+
+If you have other confined daemons that need to access the git repositories,
+you may want to use public_content_t, or public_content_rw_t instead.
+
+Then use restorecon to update the contexts:
+
+ # restorecon -RF /srv/git
diff --git a/cgit.spec b/cgit.spec
index 9968486..6a66d71 100644
--- a/cgit.spec
+++ b/cgit.spec
@@ -1,3 +1,14 @@
+# remirepo spec file for cgit, from:
+#
+# Fedora spec file for cgit
+#
+# License: MIT
+# http://opensource.org/licenses/MIT
+#
+# Please preserve changelog entries
+#
+
+
# Review bug: https://bugzilla.redhat.com/479723
%global gitver 2.10.2
@@ -8,11 +19,6 @@
%global syntax_highlight 1
-%if 0%{?rhel} && 0%{?rhel} <= 5
-# On el5, manual actions are needed to make syntax highlighting work
-%global syntax_highlight 0
-%endif
-
# Temporarily -- in epel-7-ppc64 is not highlight package currently, #1117261
%if 0%{?rhel} == 7
%ifarch ppc64
@@ -20,48 +26,33 @@
%endif
%endif
-%global make_cgit \
-export CFLAGS="%{optflags}" \
-export LDFLAGS="%{?__global_ldflags}" \
-make V=1 %{?_smp_mflags} \\\
- DESTDIR=%{buildroot} \\\
- INSTALL="install -p" \\\
- CACHE_ROOT=%{cachedir} \\\
- CGIT_SCRIPT_PATH=%{scriptdir} \\\
- CGIT_SCRIPT_NAME=cgit \\\
- CGIT_DATA_PATH=%{cgitdata} \\\
- docdir=%{docdir} \\\
- filterdir=%{filterdir} \\\
- prefix=%{_prefix}
-
Name: cgit
Version: 1.1
-Release: 3%{?dist}
+Release: 11%{?dist}
Summary: A fast web interface for git
Group: Development/Tools
License: GPLv2
-URL: http://git.zx2c4.com/cgit/
-Source0: http://git.zx2c4.com/cgit/snapshot/%{name}-%{version}.tar.xz
-Source1: http://www.kernel.org/pub/software/scm/git//git-%{gitver}.tar.xz
+URL: https://git.zx2c4.com/cgit/
+Source0: https://git.zx2c4.com/cgit/snapshot/%{name}-%{version}.tar.xz
+Source1: https://www.kernel.org/pub/software/scm/git//git-%{gitver}.tar.xz
Source2: cgitrc
Source3: README.SELinux
+# https://git.zx2c4.com/cgit/commit/?id=53efaf30b
+Patch0: 0001-clone-fix-directory-traversal.patch
+
# Security guys might try to repoquery for this.
Provides: bundled(git) = %gitver
%if %{syntax_highlight}
-# On all but RHEL5 highlight is version 3.
+# All supported releases use hightlight version 3.
Patch1: cgit-0.9.1-highlightv3.patch
BuildRequires: highlight
%endif
-BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: asciidoc
-%if 0%{?rhel} && 0%{?rhel} <= 5
-# These are missing asciidoc requirements
-BuildRequires: docbook-style-xsl libxslt
-%endif
+BuildRequires: gcc
%if 0%{?fedora} || 0%{?rhel} >= 6
BuildRequires: libcurl-devel
%else
@@ -69,14 +60,13 @@ BuildRequires: curl-devel
%endif
BuildRequires: openssl-devel
BuildRequires: lua-devel
+BuildRequires: make
%if 0%{?fedora}
# just to be able to install httpd configuration correctly, FC21+
Requires: httpd-filesystem
-Requires: webserver
-%else
-Requires: httpd
%endif
+Requires: webserver
%description
@@ -84,6 +74,7 @@ Cgit is a fast web interface for git. It uses caching to increase performance.
%prep
%setup -q -a 1
+%patch0 -p1
%if %{syntax_highlight}
%patch1 -p1
%endif
@@ -91,7 +82,30 @@ Cgit is a fast web interface for git. It uses caching to increase performance.
# setup the git dir
rm -rf git
mv git-%{gitver} git
-sed -i 's|^\(CFLAGS = \).*|\1%{optflags}|' git/Makefile
+
+# Use the same options for every invocation of 'make'.
+# Otherwise it will rebuild in %%install due to flags changes.
+cat << \EOF > cgit.conf
+V = 1
+CFLAGS = %{optflags}
+LDFLAGS = %{?__global_ldflags}
+DESTDIR = %{buildroot}
+INSTALL = install -p
+CACHE_ROOT = %{cachedir}
+CGIT_SCRIPT_PATH = %{scriptdir}
+CGIT_SCRIPT_NAME = cgit
+CGIT_DATA_PATH = %{cgitdata}
+docdir = %{docdir}
+filterdir = %{filterdir}
+prefix = %{_prefix}
+EOF
+
+# git build flags
+cat << \EOF > git/config.mak
+V = 1
+CFLAGS = %{optflags}
+LDFLAGS = %{?__global_ldflags}
+EOF
# I tried to use matchpathcon, but we would need to require
# selinux-policy-targeted probably.
@@ -100,12 +114,6 @@ build_dist=%{?fedora:fedora}%{?rhel:rhel}
build_ver=%{?fedora}%{?rhel}
cgit_context=git_sys_content_t
-case "$build_dist-$build_ver" in
- rhel-5)
- cgit_context=httpd_sys_content_t
- ;;
-esac
-
sed -e "s|@CGIT_CONTEXT@|$cgit_context|g" \
%{SOURCE3} > README.SELinux
@@ -121,10 +129,10 @@ EOF
%build
-%{make_cgit}
+make %{?_smp_mflags}
# Something in the a2x chain doesn't like running in parallel. :/
-%{make_cgit} -j1 doc-man doc-html
+make -j1 doc-man doc-html
%if %{syntax_highlight}
# el5 highlight doesn't know --print-style
@@ -133,22 +141,23 @@ highlight --print-style --style-outfile=stdout >> cgit.css
%install
-rm -rf %{buildroot}
-%{make_cgit} install install-man
+make DESTDIR=%{buildroot} install install-man
install -d -m0755 %{buildroot}%{_sysconfdir}/httpd/conf.d
install -p -m0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/cgitrc
install -p -m0644 httpd.conf %{buildroot}%{_sysconfdir}/httpd/conf.d/cgit.conf
install -d -m0755 %{buildroot}%{cachedir}
-%clean
-rm -rf %{buildroot}
-
%files
-%defattr(-,root,root,-)
%doc COPYING README* *.html
%config(noreplace) %{_sysconfdir}/cgitrc
+%if 0%{?rhel} && 0%{?rhel} <= 7
+# Keep those two httpd-owned directories listed here until httpd-filesystem
+# becomes part of EPEL. See rhbz#1138599 for more details.
+%dir %{_sysconfdir}/httpd
+%dir %{_sysconfdir}/httpd/conf.d
+%endif
%config(noreplace) %{_sysconfdir}/httpd/conf.d/cgit.conf
%dir %attr(-,apache,root) %{cachedir}
%{cgitdata}
@@ -158,6 +167,25 @@ rm -rf %{buildroot}
%changelog
+* Fri Aug 24 2018 Remi Collet <remi@remirepo.net> - 1.1-11
+- rebuild for remirepo, synced with EPEL-7:
+
+* Fri Aug 03 2018 Todd Zullinger <tmz@pobox.com> - 1.1-11
+- Fix directory traversal vulnerability
+
+* Sun Feb 18 2018 Todd Zullinger <tmz@pobox.com> - 1.1-10
+- Use https for source URLs
+- Remove el5 conditionals
+- Use cgit.conf and config.mak for cgit/git build options
+- Drop obsolete %%{buildroot} cleanup
+- Add gcc and make BuildRequires
+
+* Mon Jul 24 2017 Todd Zullinger <tmz@pobox.com> - 1.1-5
+- Require webserver on all dists (#1468839)
+
+* Mon Jul 24 2017 Kevin Fenzi <kevin@scrye.com> - 1.1-4
+- Fix httpd requirements on epel7. Fixes bug #1468839
+
* Tue Mar 07 2017 Pavel Raiskup <praiskup@redhat.com> - 1.1-3
- suggest using correct selinux context (rhbz#1429790)
--
cgit