From 02375792f74bf0b2118c21d43b71b76aa1e41091 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Thu, 27 Sep 2012 18:14:16 +0200 Subject: [PATCH 1/3] Update to 1.7.11.7 - cvsimport should skip more characters (#850640) Signed-off-by: Adam Tkac --- ...-strip-all-inappropriate-tag-strings.patch | 71 +++++++++++++++++++ git.spec | 11 ++- sources | 2 +- 3 files changed, 81 insertions(+), 3 deletions(-) create mode 100644 0001-cvsimport-strip-all-inappropriate-tag-strings.patch diff --git a/0001-cvsimport-strip-all-inappropriate-tag-strings.patch b/0001-cvsimport-strip-all-inappropriate-tag-strings.patch new file mode 100644 index 0000000..db85fe9 --- /dev/null +++ b/0001-cvsimport-strip-all-inappropriate-tag-strings.patch @@ -0,0 +1,71 @@ +From 70b67b0792375c59f60f3e24f2d6757b24dc719c Mon Sep 17 00:00:00 2001 +From: Ken Dreyer +Date: Thu, 6 Sep 2012 10:36:53 -0600 +Subject: [PATCH] cvsimport: strip all inappropriate tag strings + +Certain characters such as "?" can be present in a CVS tag name, but +git does not allow these characters in tags. If git-cvsimport +encounters a CVS tag that git cannot handle, cvsimport will error and +refuse to continue the import beyond that point. + +When importing CVS tags, strip all the inappropriate strings from the +tag names as we translate them to git tag names. + +Provide more debugging information to the user if we've altered the +tag and the "git tag" command still fails. Also, warn the user if we +end up skipping an (unusable) tag altogether. + +Signed-off-by: Ken Dreyer +Signed-off-by: Junio C Hamano +--- + git-cvsimport.perl | 33 ++++++++++++++++++++++++++++++--- + 1 file changed, 30 insertions(+), 3 deletions(-) + +diff --git a/git-cvsimport.perl b/git-cvsimport.perl +index 8d41610..8032f23 100755 +--- a/git-cvsimport.perl ++++ b/git-cvsimport.perl +@@ -889,10 +889,37 @@ sub commit { + $xtag =~ s/\s+\*\*.*$//; # Remove stuff like ** INVALID ** and ** FUNKY ** + $xtag =~ tr/_/\./ if ( $opt_u ); + $xtag =~ s/[\/]/$opt_s/g; +- $xtag =~ s/\[//g; + +- system('git' , 'tag', '-f', $xtag, $cid) == 0 +- or die "Cannot create tag $xtag: $!\n"; ++ # See refs.c for these rules. ++ # Tag cannot contain bad chars. (See bad_ref_char in refs.c.) ++ $xtag =~ s/[ ~\^:\\\*\?\[]//g; ++ # Other bad strings for tags: ++ # (See check_refname_component in refs.c.) ++ 1 while $xtag =~ s/ ++ (?: \.\. # Tag cannot contain '..'. ++ | \@{ # Tag cannot contain '@{'. ++ | ^ - # Tag cannot begin with '-'. ++ | \.lock $ # Tag cannot end with '.lock'. ++ | ^ \. # Tag cannot begin... ++ | \. $ # ...or end with '.' ++ )//xg; ++ # Tag cannot be empty. ++ if ($xtag eq '') { ++ warn("warning: ignoring tag '$tag'", ++ " with invalid tagname\n"); ++ return; ++ } ++ ++ if (system('git' , 'tag', '-f', $xtag, $cid) != 0) { ++ # We did our best to sanitize the tag, but still failed ++ # for whatever reason. Bail out, and give the user ++ # enough information to understand if/how we should ++ # improve the translation in the future. ++ if ($tag ne $xtag) { ++ print "Translated '$tag' tag to '$xtag'\n"; ++ } ++ die "Cannot create tag $xtag: $!\n"; ++ } + + print "Created tag '$xtag' on '$branch'\n" if $opt_v; + } +-- +1.7.12 + diff --git a/git.spec b/git.spec index 37dcff5..d38e43f 100644 --- a/git.spec +++ b/git.spec @@ -68,8 +68,8 @@ %endif Name: git -Version: 1.7.11.4 -Release: 3%{?dist} +Version: 1.7.11.7 +Release: 1%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -85,6 +85,8 @@ Patch0: git-1.5-gitweb-home-link.patch Patch1: git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch # https://bugzilla.redhat.com/600411 Patch3: git-1.7-el5-emacs-support.patch +Patch4: 0001-cvsimport-strip-all-inappropriate-tag-strings.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: desktop-file-utils @@ -303,6 +305,7 @@ Requires: emacs-git = %{version}-%{release} %if %{emacs_old} %patch3 -p1 %endif +%patch4 -p1 # Use these same options for every invocation of 'make'. # Otherwise it will rebuild in %%install due to flags changes. @@ -550,6 +553,10 @@ rm -rf %{buildroot} # No files for you! %changelog +* Thu Sep 27 2012 Adam Tkac - 1.7.11.7-1 +- update to 1.7.11.7 +- cvsimport should skip more characters (#850640) + * Tue Aug 07 2012 Adam Tkac - 1.7.11.4-1 - update to 1.7.11.4 diff --git a/sources b/sources index 9c8c776..4118b8e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -21c7100cddee8579233a924111e829ab git-1.7.11.4.tar.gz +6d0dce4e58307ced3cbd64e00834270e git-1.7.11.7.tar.gz From 2688f348be077a6e7c3f41fcac585ec814489ae3 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Thu, 22 Nov 2012 16:26:30 +0100 Subject: [PATCH 2/3] backport patch for remote-curl crashes (#865692) Signed-off-by: Adam Tkac --- ...p-fix-segfault-in-handle_curl_result.patch | 98 +++++++++++++++++++ git.spec | 8 +- 2 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 0001-http-fix-segfault-in-handle_curl_result.patch diff --git a/0001-http-fix-segfault-in-handle_curl_result.patch b/0001-http-fix-segfault-in-handle_curl_result.patch new file mode 100644 index 0000000..12caf91 --- /dev/null +++ b/0001-http-fix-segfault-in-handle_curl_result.patch @@ -0,0 +1,98 @@ +From 188923f0d1c8148415b3173986cd1e21871c947e Mon Sep 17 00:00:00 2001 +From: Jeff King +Date: Fri, 12 Oct 2012 02:22:49 -0400 +Subject: [PATCH] http: fix segfault in handle_curl_result + +When we create an http active_request_slot, we can set its +"results" pointer back to local storage. The http code will +fill in the details of how the request went, and we can +access those details even after the slot has been cleaned +up. + +Commit 8809703 (http: factor out http error code handling) +switched us from accessing our local results struct directly +to accessing it via the "results" pointer of the slot. That +means we're accessing the slot after it has been marked as +finished, defeating the whole purpose of keeping the results +storage separate. + +Most of the time this doesn't matter, as finishing the slot +does not actually clean up the pointer. However, when using +curl's multi interface with the dumb-http revision walker, +we might actually start a new request before handing control +back to the original caller. In that case, we may reuse the +slot, zeroing its results pointer, and leading the original +caller to segfault while looking for its results inside the +slot. + +Instead, we need to pass a pointer to our local results +storage to the handle_curl_result function, rather than +relying on the pointer in the slot struct. This matches what +the original code did before the refactoring (which did not +use a separate function, and therefore just accessed the +results struct directly). + +Signed-off-by: Jeff King +Signed-off-by: Junio C Hamano +--- + http.c | 7 +++---- + http.h | 3 ++- + remote-curl.c | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/http.c b/http.c +index 7c4a407..9334386 100644 +--- a/http.c ++++ b/http.c +@@ -744,10 +744,9 @@ char *get_remote_object_url(const char *url, const char *hex, + return strbuf_detach(&buf, NULL); + } + +-int handle_curl_result(struct active_request_slot *slot) ++int handle_curl_result(struct active_request_slot *slot, ++ struct slot_results *results) + { +- struct slot_results *results = slot->results; +- + if (results->curl_result == CURLE_OK) { + credential_approve(&http_auth); + return HTTP_OK; +@@ -818,7 +817,7 @@ static int http_request(const char *url, void *result, int target, int options) + + if (start_active_slot(slot)) { + run_active_slot(slot); +- ret = handle_curl_result(slot); ++ ret = handle_curl_result(slot, &results); + } else { + error("Unable to start HTTP request for %s", url); + ret = HTTP_START_FAILED; +diff --git a/http.h b/http.h +index 12de255..0bd1e84 100644 +--- a/http.h ++++ b/http.h +@@ -78,7 +78,8 @@ extern int start_active_slot(struct active_request_slot *slot); + extern void run_active_slot(struct active_request_slot *slot); + extern void finish_active_slot(struct active_request_slot *slot); + extern void finish_all_active_slots(void); +-extern int handle_curl_result(struct active_request_slot *slot); ++extern int handle_curl_result(struct active_request_slot *slot, ++ struct slot_results *results); + + #ifdef USE_CURL_MULTI + extern void fill_active_slots(void); +diff --git a/remote-curl.c b/remote-curl.c +index 3ec474f..6054e47 100644 +--- a/remote-curl.c ++++ b/remote-curl.c +@@ -369,7 +369,7 @@ static int run_slot(struct active_request_slot *slot) + slot->curl_result = curl_easy_perform(slot->curl); + finish_active_slot(slot); + +- err = handle_curl_result(slot); ++ err = handle_curl_result(slot, &results); + if (err != HTTP_OK && err != HTTP_REAUTH) { + error("RPC failed; result=%d, HTTP code = %ld", + results.curl_result, results.http_code); +-- +1.8.0 + diff --git a/git.spec b/git.spec index d38e43f..92b94ed 100644 --- a/git.spec +++ b/git.spec @@ -69,7 +69,7 @@ Name: git Version: 1.7.11.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -86,6 +86,8 @@ Patch1: git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch # https://bugzilla.redhat.com/600411 Patch3: git-1.7-el5-emacs-support.patch Patch4: 0001-cvsimport-strip-all-inappropriate-tag-strings.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=865692 +Patch5: 0001-http-fix-segfault-in-handle_curl_result.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -306,6 +308,7 @@ Requires: emacs-git = %{version}-%{release} %patch3 -p1 %endif %patch4 -p1 +%patch5 -p1 # Use these same options for every invocation of 'make'. # Otherwise it will rebuild in %%install due to flags changes. @@ -553,6 +556,9 @@ rm -rf %{buildroot} # No files for you! %changelog +* Thu Nov 22 2012 Adam Tkac - 1.7.11.7-2 +- backport patch for remote-curl crashes (#865692) + * Thu Sep 27 2012 Adam Tkac - 1.7.11.7-1 - update to 1.7.11.7 - cvsimport should skip more characters (#850640) From 75f87ee37021e3c6f969f3dc5b45747b8ef264d9 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Wed, 20 Feb 2013 14:15:21 +0100 Subject: [PATCH 3/3] Fix CVE-2013-0308 Signed-off-by: Adam Tkac --- 0001-imap-send-move-ifdef-around.patch | 53 ++++++++++++ ...bject-of-SSL-certificate-must-match-.patch | 84 +++++++++++++++++++ ...-send-support-subjectAltName-as-well.patch | 55 ++++++++++++ git.spec | 11 ++- 4 files changed, 202 insertions(+), 1 deletion(-) create mode 100644 0001-imap-send-move-ifdef-around.patch create mode 100644 0002-imap-send-the-subject-of-SSL-certificate-must-match-.patch create mode 100644 0003-imap-send-support-subjectAltName-as-well.patch diff --git a/0001-imap-send-move-ifdef-around.patch b/0001-imap-send-move-ifdef-around.patch new file mode 100644 index 0000000..b455958 --- /dev/null +++ b/0001-imap-send-move-ifdef-around.patch @@ -0,0 +1,53 @@ +From 1e1fe52923a8f582c4f50b41f0dd978d5d7c9bd3 Mon Sep 17 00:00:00 2001 +From: Junio C Hamano +Date: Fri, 15 Feb 2013 12:32:19 -0800 +Subject: [PATCH 1/3] imap-send: move #ifdef around + +Instead of adding an early return to the inside of the +ssl_socket_connect() function for NO_OPENSSL compilation, split it +into a separate stub function. + +No functional change, but the next change to extend ssl_socket_connect() +will become easier to read this way. + +Signed-off-by: Junio C Hamano +--- + imap-send.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/imap-send.c b/imap-send.c +index 9992233..94f53c2 100644 +--- a/imap-send.c ++++ b/imap-send.c +@@ -266,12 +266,17 @@ static void socket_perror(const char *func, struct imap_socket *sock, int ret) + } + } + ++#ifdef NO_OPENSSL + static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) + { +-#ifdef NO_OPENSSL + fprintf(stderr, "SSL requested but SSL support not compiled in\n"); + return -1; ++} ++ + #else ++ ++static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) ++{ + #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) + const SSL_METHOD *meth; + #else +@@ -323,8 +328,8 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve + } + + return 0; +-#endif + } ++#endif + + static int socket_read(struct imap_socket *sock, char *buf, int len) + { +-- +1.8.1.2 + diff --git a/0002-imap-send-the-subject-of-SSL-certificate-must-match-.patch b/0002-imap-send-the-subject-of-SSL-certificate-must-match-.patch new file mode 100644 index 0000000..e41bcf3 --- /dev/null +++ b/0002-imap-send-the-subject-of-SSL-certificate-must-match-.patch @@ -0,0 +1,84 @@ +From b62fb077d5504deadea931fd16075729f39b8f47 Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen +Date: Fri, 15 Feb 2013 12:50:35 -0800 +Subject: [PATCH 2/3] imap-send: the subject of SSL certificate must match the + host + +We did not check a valid certificate's subject at all, and would +have happily talked with a wrong host after connecting to an +incorrect address and getting a valid certificate that does not +belong to the host we intended to talk to. + +Signed-off-by: Oswald Buddenhagen +Signed-off-by: Junio C Hamano +--- + imap-send.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/imap-send.c b/imap-send.c +index 94f53c2..0b9c464 100644 +--- a/imap-send.c ++++ b/imap-send.c +@@ -275,6 +275,35 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve + + #else + ++static int host_matches(const char *host, const char *pattern) ++{ ++ if (pattern[0] == '*' && pattern[1] == '.') { ++ pattern += 2; ++ if (!(host = strchr(host, '.'))) ++ return 0; ++ host++; ++ } ++ ++ return *host && *pattern && !strcasecmp(host, pattern); ++} ++ ++static int verify_hostname(X509 *cert, const char *hostname) ++{ ++ int len; ++ X509_NAME *subj; ++ char cname[1000]; ++ ++ /* try the common name */ ++ if (!(subj = X509_get_subject_name(cert))) ++ return error("cannot get certificate subject"); ++ if ((len = X509_NAME_get_text_by_NID(subj, NID_commonName, cname, sizeof(cname))) < 0) ++ return error("cannot get certificate common name"); ++ if (strlen(cname) == (size_t)len && host_matches(hostname, cname)) ++ return 0; ++ return error("certificate owner '%s' does not match hostname '%s'", ++ cname, hostname); ++} ++ + static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) + { + #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) +@@ -284,6 +313,7 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve + #endif + SSL_CTX *ctx; + int ret; ++ X509 *cert; + + SSL_library_init(); + SSL_load_error_strings(); +@@ -327,6 +357,15 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve + return -1; + } + ++ if (verify) { ++ /* make sure the hostname matches that of the certificate */ ++ cert = SSL_get_peer_certificate(sock->ssl); ++ if (!cert) ++ return error("unable to get peer certificate."); ++ if (verify_hostname(cert, server.host) < 0) ++ return -1; ++ } ++ + return 0; + } + #endif +-- +1.8.1.2 + diff --git a/0003-imap-send-support-subjectAltName-as-well.patch b/0003-imap-send-support-subjectAltName-as-well.patch new file mode 100644 index 0000000..9acbfe0 --- /dev/null +++ b/0003-imap-send-support-subjectAltName-as-well.patch @@ -0,0 +1,55 @@ +From e174744ad17a55d4df68cec97bfbf6b0c28e762b Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen +Date: Fri, 15 Feb 2013 12:59:53 -0800 +Subject: [PATCH 3/3] imap-send: support subjectAltName as well + +Check not only the common name of the certificate subject, but also +check the subject alternative DNS names as well, when verifying that +the certificate matches that of the host we are trying to talk to. + +Signed-off-by: Oswald Buddenhagen +Signed-off-by: Junio C Hamano +--- + imap-send.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/imap-send.c b/imap-send.c +index 0b9c464..171c887 100644 +--- a/imap-send.c ++++ b/imap-send.c +@@ -30,6 +30,7 @@ typedef void *SSL; + #else + #include + #include ++#include + #endif + + struct store_conf { +@@ -292,6 +293,24 @@ static int verify_hostname(X509 *cert, const char *hostname) + int len; + X509_NAME *subj; + char cname[1000]; ++ int i, found; ++ STACK_OF(GENERAL_NAME) *subj_alt_names; ++ ++ /* try the DNS subjectAltNames */ ++ found = 0; ++ if ((subj_alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL))) { ++ int num_subj_alt_names = sk_GENERAL_NAME_num(subj_alt_names); ++ for (i = 0; !found && i < num_subj_alt_names; i++) { ++ GENERAL_NAME *subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i); ++ if (subj_alt_name->type == GEN_DNS && ++ strlen((const char *)subj_alt_name->d.ia5->data) == (size_t)subj_alt_name->d.ia5->length && ++ host_matches(hostname, (const char *)(subj_alt_name->d.ia5->data))) ++ found = 1; ++ } ++ sk_GENERAL_NAME_pop_free(subj_alt_names, GENERAL_NAME_free); ++ } ++ if (found) ++ return 0; + + /* try the common name */ + if (!(subj = X509_get_subject_name(cert))) +-- +1.8.1.2 + diff --git a/git.spec b/git.spec index 92b94ed..473b435 100644 --- a/git.spec +++ b/git.spec @@ -69,7 +69,7 @@ Name: git Version: 1.7.11.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -88,6 +88,9 @@ Patch3: git-1.7-el5-emacs-support.patch Patch4: 0001-cvsimport-strip-all-inappropriate-tag-strings.patch # https://bugzilla.redhat.com/show_bug.cgi?id=865692 Patch5: 0001-http-fix-segfault-in-handle_curl_result.patch +Patch6: 0001-imap-send-move-ifdef-around.patch +Patch7: 0002-imap-send-the-subject-of-SSL-certificate-must-match-.patch +Patch8: 0003-imap-send-support-subjectAltName-as-well.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -309,6 +312,9 @@ Requires: emacs-git = %{version}-%{release} %endif %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 # Use these same options for every invocation of 'make'. # Otherwise it will rebuild in %%install due to flags changes. @@ -556,6 +562,9 @@ rm -rf %{buildroot} # No files for you! %changelog +* Wed Feb 20 2013 Adam Tkac - 1.7.11.7-3 +- fix CVE-2013-0308 + * Thu Nov 22 2012 Adam Tkac - 1.7.11.7-2 - backport patch for remote-curl crashes (#865692)