[cgit] Appy upstream git patch for CVE-2010-2542 (#618108)

Todd Zullinger tmz at fedoraproject.org
Mon Sep 27 22:26:19 UTC 2010 

commit 637b84512621d124edd19df2f1d33dc3d89f76f1
Author: Todd Zullinger <tmz at pobox.com>
Date:   Mon Sep 27 18:18:30 2010 -0400

    Appy upstream git patch for CVE-2010-2542 (#618108)

 cgit-0.8.2.1-CVE-2010-2542.patch |   12 ++++++++++++
 cgit.spec                        |    8 +++++++-
 2 files changed, 19 insertions(+), 1 deletions(-)
---
diff --git a/cgit-0.8.2.1-CVE-2010-2542.patch b/cgit-0.8.2.1-CVE-2010-2542.patch
new file mode 100644
index 0000000..62a8863
--- /dev/null
+++ b/cgit-0.8.2.1-CVE-2010-2542.patch
@@ -0,0 +1,12 @@
+diff -up cgit-0.8.2.1/git/setup.c.cve-2010-2542 cgit-0.8.2.1/git/setup.c
+--- cgit-0.8.2.1/git/setup.c.cve-2010-2542	2009-01-25 19:48:26.000000000 -0500
++++ cgit-0.8.2.1/git/setup.c	2010-09-27 18:14:27.377427596 -0400
+@@ -239,6 +239,8 @@ static int is_git_directory(const char *
+ 	char path[PATH_MAX];
+ 	size_t len = strlen(suspect);
+ 
++	if (PATH_MAX <= len + strlen("/objects"))
++		die("Too long path: %.*s", 60, suspect);
+ 	strcpy(path, suspect);
+ 	if (getenv(DB_ENVIRONMENT)) {
+ 		if (access(getenv(DB_ENVIRONMENT), X_OK))
diff --git a/cgit.spec b/cgit.spec
index 48bbacf..2572bfa 100644
--- a/cgit.spec
+++ b/cgit.spec
@@ -17,7 +17,7 @@ make V=1 %{?_smp_mflags} \\\
 
 Name:           cgit
 Version:        0.8.2.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A fast webinterface for git
 
 Group:          Development/Tools
@@ -28,6 +28,7 @@ Source1:        http://www.kernel.org/pub/software/scm/git/git-%{gitver}.tar.bz2
 Source2:        cgitrc
 Source3:        cgit.httpd
 Source4:        README.SELinux
+Patch0:         cgit-0.8.2.1-CVE-2010-2542.patch
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 %if 0%{?fedora}
@@ -50,6 +51,8 @@ rm -rf git
 mv git-%{gitver} git
 sed -i 's/^\(CFLAGS = \).*/\1%{optflags}/' git/Makefile
 
+%patch0 -p1
+
 # add README.SELinux
 cp -p %{SOURCE4} .
 
@@ -81,6 +84,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Mon Sep 27 2010 Todd Zullinger <tmz at pobox.com> - 0.8.2.1-4
+- Appy upstream git patch for CVE-2010-2542 (#618108)
+
 * Fri Aug 21 2009 Tomas Mraz <tmraz at redhat.com> - 0.8.2.1-3
 - rebuilt with new openssl

More information about the scm-commits mailing list