diff -Nru cgit-1.1+git2.10.2/debian/changelog cgit-1.1+git2.10.2/debian/changelog --- cgit-1.1+git2.10.2/debian/changelog 2018-02-05 11:48:53.000000000 -0500 +++ cgit-1.1+git2.10.2/debian/changelog 2018-08-14 16:15:16.000000000 -0400 @@ -1,8 +1,20 @@ -cgit (1.1+git2.10.2-3build1) bionic; urgency=high +cgit (1.1+git2.10.2-3.1~ubuntu0.1) bionic-security; urgency=high - * No change rebuild against openssl1.1. + * SECURITY UPDATE: Directory traversal vulnerability. + - Backport fix from cosmic LP: #1787021. + This fixes a directory traversal vulnerability in CGit before 1.2.1 when + `enable-http-clone=1` is not turned off, as demonstrated by + a cgit/cgit.cgi/git/objects/?path=../ request. + - CVE-2018-14912 - -- Dimitri John Ledkov Mon, 05 Feb 2018 16:48:53 +0000 + -- Unit 193 Tue, 14 Aug 2018 16:15:16 -0400 + +cgit (1.1+git2.10.2-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * clone: fix directory traversal (CVE-2018-14912) (Closes: #905382) + + -- Salvatore Bonaccorso Sat, 04 Aug 2018 12:27:48 +0200 cgit (1.1+git2.10.2-3) unstable; urgency=medium diff -Nru cgit-1.1+git2.10.2/debian/patches/clone-fix-directory-traversal.patch cgit-1.1+git2.10.2/debian/patches/clone-fix-directory-traversal.patch --- cgit-1.1+git2.10.2/debian/patches/clone-fix-directory-traversal.patch 1969-12-31 19:00:00.000000000 -0500 +++ cgit-1.1+git2.10.2/debian/patches/clone-fix-directory-traversal.patch 2018-08-04 06:26:43.000000000 -0400 @@ -0,0 +1,65 @@ +From: "Jason A. Donenfeld" +Date: Fri, 3 Aug 2018 15:46:11 +0200 +Subject: clone: fix directory traversal +Origin: https://git.zx2c4.com/cgit/commit/?id=53efaf30b50f095cad8c160488c74bba3e3b2680 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-14912 +Bug-Debian: https://bugs.debian.org/905382 +Bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1627 + +This was introduced in the initial version of this code, way back when +in 2008. + +$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd +root:x:0:0:root:/root:/bin/sh +... + +Signed-off-by: Jason A. Donenfeld +Reported-by: Jann Horn +--- + ui-clone.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/ui-clone.c b/ui-clone.c +index 2c1ac3d..6ba8f36 100644 +--- a/ui-clone.c ++++ b/ui-clone.c +@@ -92,17 +92,32 @@ void cgit_clone_info(void) + + void cgit_clone_objects(void) + { +- if (!ctx.qry.path) { +- cgit_print_error_page(400, "Bad request", "Bad request"); +- return; +- } ++ char *p; ++ ++ if (!ctx.qry.path) ++ goto err; + + if (!strcmp(ctx.qry.path, "info/packs")) { + print_pack_info(); + return; + } + ++ /* Avoid directory traversal by forbidding "..", but also work around ++ * other funny business by just specifying a fairly strict format. For ++ * example, now we don't have to stress out about the Cygwin port. ++ */ ++ for (p = ctx.qry.path; *p; ++p) { ++ if (*p == '.' && *(p + 1) == '.') ++ goto err; ++ if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-') ++ goto err; ++ } ++ + send_file(git_path("objects/%s", ctx.qry.path)); ++ return; ++ ++err: ++ cgit_print_error_page(400, "Bad request", "Bad request"); + } + + void cgit_clone_head(void) +-- +2.18.0 + diff -Nru cgit-1.1+git2.10.2/debian/patches/series cgit-1.1+git2.10.2/debian/patches/series --- cgit-1.1+git2.10.2/debian/patches/series 2016-11-25 16:02:50.000000000 -0500 +++ cgit-1.1+git2.10.2/debian/patches/series 2018-08-04 06:26:56.000000000 -0400 @@ -10,3 +10,4 @@ syntax-highlighting.patch fix-crash-when-using-path-limit.patch link-with-ldl-on-gnu-hurd.patch +clone-fix-directory-traversal.patch