main/cgit: security fix CVE-2016-1899, CVE-2016-1900, CVE-2016-1901. Fixes #5098

(cherry picked from commit c8d5b3017f998d5284638c262ae52971c8b6c1cb)

5 files changed, 214 insertions, 6 deletions

diff --git a/main/cgit/APKBUILD b/main/cgit/APKBUILD
index 0f4abd33d0..550d217a6e 100644
--- a/main/cgit/APKBUILD
+++ b/main/cgit/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=cgit
 pkgver=0.10.2
-pkgrel=1
+pkgrel=2
 _gitver=2.0.1
 pkgdesc="A fast webinterface for git"
 url="http://git.zx2c4.com/cgit/"
@@ -10,9 +10,12 @@ license="GPL2"
 makedepends="openssl-dev zlib-dev lua5.2-dev asciidoc"
 depends=""
 subpackages="$pkgname-doc"
-source="
-	http://git.zx2c4.com/cgit/snapshot/cgit-$pkgver.tar.xz
+source="http://git.zx2c4.com/cgit/snapshot/cgit-$pkgver.tar.xz
 	https://www.kernel.org/pub/software/scm/git/git-$_gitver.tar.gz
+	CVE-2016-1899.patch
+	ui-blob-set-csp-just-in-case.patch
+	CVE-2016-1900.patch
+	CVE-2016-1901.patch
 	"
 
 _makeopts="NO_ICONV=YesPlease
@@ -54,8 +57,20 @@ package() {
 }
 
 md5sums="6682d597f6e3e76645a254c7be537bd3  cgit-0.10.2.tar.xz
-981f5937840716cb563be1cc6292c8d7  git-2.0.1.tar.gz"
+981f5937840716cb563be1cc6292c8d7  git-2.0.1.tar.gz
+a97aa769ffcea8eadaa9d07af66cac62  CVE-2016-1899.patch
+94781166b8974b178c5e662a97f0819c  ui-blob-set-csp-just-in-case.patch
+983434f7d09159024166a275ee9310e3  CVE-2016-1900.patch
+348e3ac77fbcf537707a9060b918dc31  CVE-2016-1901.patch"
 sha256sums="94598e6582752659598e8086d3e2b2a2081df89ac8397460f507b15e71264c8d  cgit-0.10.2.tar.xz
-02609a06fb40db1f6a968867c0e82bcb959b85902747830de0fda53228712daf  git-2.0.1.tar.gz"
+02609a06fb40db1f6a968867c0e82bcb959b85902747830de0fda53228712daf  git-2.0.1.tar.gz
+84185ccd38533541169721517db2e895733c6e320318ae96c6ce0d46c172482d  CVE-2016-1899.patch
+b7a55ce0e6907d2e9ca14f15cef91964e81ad05f22f5dbc18fd5d9940f854dc5  ui-blob-set-csp-just-in-case.patch
+449fd7a9cf19c35ca5114d7877b2dca78da0a23f1c31984e4d6f4221d8c5bb59  CVE-2016-1900.patch
+490eb320304cdebfcaa9e07517b5a0c7c37428babe8d4b5a0fbd0852340299b0  CVE-2016-1901.patch"
 sha512sums="5f4a0b65a9a802f5a464224ad4773ce6c926d0e61bb53baa4270f923570d92674b2b1b0669a74eb0e25d2b5e7fc7f637b37037c2371ebd7a3437ce28d78d650f  cgit-0.10.2.tar.xz
-61bd1e250a8f01bdfed10d243fb6d95968795d7ebf8452f26ca778f0b99f2e13b35d0963004798b251c9ae300300c22dff79a0de21b5a3f1faebe51f557f33b2  git-2.0.1.tar.gz"
+61bd1e250a8f01bdfed10d243fb6d95968795d7ebf8452f26ca778f0b99f2e13b35d0963004798b251c9ae300300c22dff79a0de21b5a3f1faebe51f557f33b2  git-2.0.1.tar.gz
+bd8a166c516fda2598c4060c478bd25b681960a8db2d8d46fa4cafaa4ede9bcbff84fd25596cef1b4230edc1a1a7a41ea07a94d425180bad14955d184017c048  CVE-2016-1899.patch
+c2b41967cdef2e42d611c2fe0721a71c1b33e6a1785d45a2ef53c970e8e71ae9eef0b8eae93ca8a3d9933288fef9777c649430c94ecc930c875f98e35d5ce413  ui-blob-set-csp-just-in-case.patch
+36626fed9e9c3bdc8fb6c07c3189023fd5edd7f0251198e5cc8225fb8545ace0aa9852352e2509427c179dd3f6b9e705176925ee9aa833039c6b3b6b529b8c2f  CVE-2016-1900.patch
+5e83ddb52bbc317a577ca6669af70f252f30f538724d76177739a741beba3f0a2bd08642f2ae4d4947035b93300e26ea4582cb2091932a267c9046101318c0b5  CVE-2016-1901.patch"
diff --git a/main/cgit/CVE-2016-1899.patch b/main/cgit/CVE-2016-1899.patch
new file mode 100644
index 0000000000..cca5705659
--- /dev/null
+++ b/main/cgit/CVE-2016-1899.patch
@@ -0,0 +1,51 @@
+From 1c581a072651524f3b0d91f33e22a42c4166dd96 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 14 Jan 2016 14:31:13 +0100
+Subject: ui-blob: Do not accept mimetype from user
+
+---
+ cgit.c    | 2 --
+ cgit.h    | 1 -
+ ui-blob.c | 1 -
+ 3 files changed, 4 deletions(-)
+
+diff --git a/cgit.c b/cgit.c
+index 05e5d57..3ed1935 100644
+--- a/cgit.c
++++ b/cgit.c
+@@ -314,8 +314,6 @@ static void querystring_cb(const char *name, const char *value)
+ 		ctx.qry.path = trim_end(value, '/');
+ 	} else if (!strcmp(name, "name")) {
+ 		ctx.qry.name = xstrdup(value);
+-	} else if (!strcmp(name, "mimetype")) {
+-		ctx.qry.mimetype = xstrdup(value);
+ 	} else if (!strcmp(name, "s")) {
+ 		ctx.qry.sort = xstrdup(value);
+ 	} else if (!strcmp(name, "showmsg")) {
+diff --git a/cgit.h b/cgit.h
+index b7eccdd..4b4bcf4 100644
+--- a/cgit.h
++++ b/cgit.h
+@@ -173,7 +173,6 @@ struct cgit_query {
+ 	char *sha2;
+ 	char *path;
+ 	char *name;
+-	char *mimetype;
+ 	char *url;
+ 	char *period;
+ 	int   ofs;
+diff --git a/ui-blob.c b/ui-blob.c
+index 1ded839..2cce11c 100644
+--- a/ui-blob.c
++++ b/ui-blob.c
+@@ -161,7 +161,6 @@ void cgit_print_blob(const char *hex, char *path, const char *head, int file_onl
+ 	}
+ 
+ 	buf[size] = '\0';
+-	ctx.page.mimetype = ctx.qry.mimetype;
+ 	if (!ctx.page.mimetype) {
+ 		if (buffer_is_binary(buf, size))
+ 			ctx.page.mimetype = "application/octet-stream";
+-- 
+cgit v0.12-20-g4fde
+
diff --git a/main/cgit/CVE-2016-1900.patch b/main/cgit/CVE-2016-1900.patch
new file mode 100644
index 0000000000..c27436edcf
--- /dev/null
+++ b/main/cgit/CVE-2016-1900.patch
@@ -0,0 +1,82 @@
+From 513b3863d999f91b47d7e9f26710390db55f9463 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 14 Jan 2016 14:28:37 +0100
+Subject: ui-shared: prevent malicious filename from injecting headers
+
+---
+ html.c      | 26 ++++++++++++++++++++++++++
+ html.h      |  1 +
+ ui-shared.c |  8 +++++---
+ 3 files changed, 32 insertions(+), 3 deletions(-)
+
+diff --git a/html.c b/html.c
+index 959148c..d89df3a 100644
+--- a/html.c
++++ b/html.c
+@@ -239,6 +239,32 @@ void html_url_arg(const char *txt)
+ 		html(txt);
+ }
+ 
++void html_header_arg_in_quotes(const char *txt)
++{
++	const char *t = txt;
++	while (t && *t) {
++		unsigned char c = *t;
++		const char *e = NULL;
++		if (c == '\\')
++			e = "\\\\";
++		else if (c == '\r')
++			e = "\\r";
++		else if (c == '\n')
++			e = "\\n";
++		else if (c == '"')
++			e = "\\\"";
++		if (e) {
++			html_raw(txt, t - txt);
++			html(e);
++			txt = t + 1;
++		}
++		t++;
++	}
++	if (t != txt)
++		html(txt);
++
++}
++
+ void html_hidden(const char *name, const char *value)
+ {
+ 	html("<input type='hidden' name='");
+diff --git a/html.h b/html.h
+index c554763..c72e845 100644
+--- a/html.h
++++ b/html.h
+@@ -23,6 +23,7 @@ extern void html_ntxt(int len, const char *txt);
+ extern void html_attr(const char *txt);
+ extern void html_url_path(const char *txt);
+ extern void html_url_arg(const char *txt);
++extern void html_header_arg_in_quotes(const char *txt);
+ extern void html_hidden(const char *name, const char *value);
+ extern void html_option(const char *value, const char *text, const char *selected_value);
+ extern void html_intoption(int value, const char *text, int selected_value);
+diff --git a/ui-shared.c b/ui-shared.c
+index 21f581f..54bbde7 100644
+--- a/ui-shared.c
++++ b/ui-shared.c
+@@ -692,9 +692,11 @@ void cgit_print_http_headers(void)
+ 		htmlf("Content-Type: %s\n", ctx.page.mimetype);
+ 	if (ctx.page.size)
+ 		htmlf("Content-Length: %zd\n", ctx.page.size);
+-	if (ctx.page.filename)
+-		htmlf("Content-Disposition: inline; filename=\"%s\"\n",
+-		      ctx.page.filename);
++	if (ctx.page.filename) {
++		html("Content-Disposition: inline; filename=\"");
++		html_header_arg_in_quotes(ctx.page.filename);
++		html("\"\n");
++	}
+ 	if (!ctx.env.authenticated)
+ 		html("Cache-Control: no-cache, no-store\n");
+ 	htmlf("Last-Modified: %s\n", http_date(ctx.page.modified));
+-- 
+cgit v0.12-20-g4fde
+
diff --git a/main/cgit/CVE-2016-1901.patch b/main/cgit/CVE-2016-1901.patch
new file mode 100644
index 0000000000..3f185656b6
--- /dev/null
+++ b/main/cgit/CVE-2016-1901.patch
@@ -0,0 +1,34 @@
+From 4458abf64172a62b92810c2293450106e6dfc763 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 24 Nov 2015 11:28:00 +0100
+Subject: filter: avoid integer overflow in authenticate_post
+
+ctx.env.content_length is an unsigned int, coming from the
+CONTENT_LENGTH environment variable, which is parsed by strtoul. The
+HTTP/1.1 spec says that "any Content-Length greater than or equal to
+zero is a valid value." By storing this into an int, we potentially
+overflow it, resulting in the following bounding check failing, leading
+to a buffer overflow.
+
+Reported-by: Erik Cabetas <Erik@cabetas.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+---
+ cgit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cgit.c b/cgit.c
+index 5937b9e..05e5d57 100644
+--- a/cgit.c
++++ b/cgit.c
+@@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function)
+ static inline void authenticate_post(void)
+ {
+ 	char buffer[MAX_AUTHENTICATION_POST_BYTES];
+-	int len;
++	unsigned int len;
+ 
+ 	open_auth_filter("authenticate-post");
+ 	len = ctx.env.content_length;
+-- 
+cgit v0.12-20-g4fde
+
diff --git a/main/cgit/ui-blob-set-csp-just-in-case.patch b/main/cgit/ui-blob-set-csp-just-in-case.patch
new file mode 100644
index 0000000000..e56988b85b
--- /dev/null
+++ b/main/cgit/ui-blob-set-csp-just-in-case.patch
@@ -0,0 +1,26 @@
+From 9ca2566972db968df4479108b29bb92551138b57 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 14 Jan 2016 14:43:43 +0100
+Subject: ui-blob: set CSP just in case
+
+---
+ ui-blob.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ui-blob.c b/ui-blob.c
+index 43a2f10..d388489 100644
+--- a/ui-blob.c
++++ b/ui-blob.c
+@@ -166,6 +166,9 @@ void cgit_print_blob(const char *hex, char *path, const char *head, int file_onl
+ 	else
+ 		ctx.page.mimetype = "text/plain";
+ 	ctx.page.filename = path;
++
++	html("X-Content-Type-Options: nosniff\n");
++	html("Content-Security-Policy: default-src 'none'\n");
+ 	cgit_print_http_headers();
+ 	html_raw(buf, size);
+ 	free(buf);
+-- 
+cgit v0.12-20-g4fde
+