Fix CVE-2013-0308

Signed-off-by: Adam Tkac <atkac@redhat.com>

0001-cvsimport-strip-all-inappropriate-tag-strings.patch

@@ -0,0 +1,71 @@
+From 70b67b0792375c59f60f3e24f2d6757b24dc719c Mon Sep 17 00:00:00 2001
+From: Ken Dreyer <ktdreyer@ktdreyer.com>
+Date: Thu, 6 Sep 2012 10:36:53 -0600
+Subject: [PATCH] cvsimport: strip all inappropriate tag strings
+
+Certain characters such as "?" can be present in a CVS tag name, but
+git does not allow these characters in tags. If git-cvsimport
+encounters a CVS tag that git cannot handle, cvsimport will error and
+refuse to continue the import beyond that point.
+
+When importing CVS tags, strip all the inappropriate strings from the
+tag names as we translate them to git tag names.
+
+Provide more debugging information to the user if we've altered the
+tag and the "git tag" command still fails. Also, warn the user if we
+end up skipping an (unusable) tag altogether.
+
+Signed-off-by: Ken Dreyer <ktdreyer@ktdreyer.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ git-cvsimport.perl | 33 ++++++++++++++++++++++++++++++---
+ 1 file changed, 30 insertions(+), 3 deletions(-)
+
+diff --git a/git-cvsimport.perl b/git-cvsimport.perl
+index 8d41610..8032f23 100755
+--- a/git-cvsimport.perl
++++ b/git-cvsimport.perl
+@@ -889,10 +889,37 @@ sub commit {
+ 		$xtag =~ s/\s+\*\*.*$//; # Remove stuff like ** INVALID ** and ** FUNKY **
+ 		$xtag =~ tr/_/\./ if ( $opt_u );
+ 		$xtag =~ s/[\/]/$opt_s/g;
+-		$xtag =~ s/\[//g;
+ 
+-		system('git' , 'tag', '-f', $xtag, $cid) == 0
+-			or die "Cannot create tag $xtag: $!\n";
++		# See refs.c for these rules.
++		# Tag cannot contain bad chars. (See bad_ref_char in refs.c.)
++		$xtag =~ s/[ ~\^:\\\*\?\[]//g;
++		# Other bad strings for tags:
++		# (See check_refname_component in refs.c.)
++		1 while $xtag =~ s/
++			(?: \.\.        # Tag cannot contain '..'.
++			|   \@{         # Tag cannot contain '@{'.
++			| ^ -           # Tag cannot begin with '-'.
++			|   \.lock $    # Tag cannot end with '.lock'.
++			| ^ \.          # Tag cannot begin...
++			|   \. $        # ...or end with '.'
++			)//xg;
++		# Tag cannot be empty.
++		if ($xtag eq '') {
++			warn("warning: ignoring tag '$tag'",
++			" with invalid tagname\n");
++			return;
++		}
++
++		if (system('git' , 'tag', '-f', $xtag, $cid) != 0) {
++			# We did our best to sanitize the tag, but still failed
++			# for whatever reason. Bail out, and give the user
++			# enough information to understand if/how we should
++			# improve the translation in the future.
++			if ($tag ne $xtag) {
++				print "Translated '$tag' tag to '$xtag'\n";
++			}
++			die "Cannot create tag $xtag: $!\n";
++		}
+ 
+ 		print "Created tag '$xtag' on '$branch'\n" if $opt_v;
+ 	}
+-- 
+1.7.12
+

0001-http-fix-segfault-in-handle_curl_result.patch

@@ -0,0 +1,98 @@
+From 188923f0d1c8148415b3173986cd1e21871c947e Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Fri, 12 Oct 2012 02:22:49 -0400
+Subject: [PATCH] http: fix segfault in handle_curl_result
+
+When we create an http active_request_slot, we can set its
+"results" pointer back to local storage. The http code will
+fill in the details of how the request went, and we can
+access those details even after the slot has been cleaned
+up.
+
+Commit 8809703 (http: factor out http error code handling)
+switched us from accessing our local results struct directly
+to accessing it via the "results" pointer of the slot. That
+means we're accessing the slot after it has been marked as
+finished, defeating the whole purpose of keeping the results
+storage separate.
+
+Most of the time this doesn't matter, as finishing the slot
+does not actually clean up the pointer. However, when using
+curl's multi interface with the dumb-http revision walker,
+we might actually start a new request before handing control
+back to the original caller. In that case, we may reuse the
+slot, zeroing its results pointer, and leading the original
+caller to segfault while looking for its results inside the
+slot.
+
+Instead, we need to pass a pointer to our local results
+storage to the handle_curl_result function, rather than
+relying on the pointer in the slot struct. This matches what
+the original code did before the refactoring (which did not
+use a separate function, and therefore just accessed the
+results struct directly).
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ http.c        | 7 +++----
+ http.h        | 3 ++-
+ remote-curl.c | 2 +-
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/http.c b/http.c
+index 7c4a407..9334386 100644
+--- a/http.c
++++ b/http.c
+@@ -744,10 +744,9 @@ char *get_remote_object_url(const char *url, const char *hex,
+ 	return strbuf_detach(&buf, NULL);
+ }
+ 
+-int handle_curl_result(struct active_request_slot *slot)
++int handle_curl_result(struct active_request_slot *slot,
++		       struct slot_results *results)
+ {
+-	struct slot_results *results = slot->results;
+-
+ 	if (results->curl_result == CURLE_OK) {
+ 		credential_approve(&http_auth);
+ 		return HTTP_OK;
+@@ -818,7 +817,7 @@ static int http_request(const char *url, void *result, int target, int options)
+ 
+ 	if (start_active_slot(slot)) {
+ 		run_active_slot(slot);
+-		ret = handle_curl_result(slot);
++		ret = handle_curl_result(slot, &results);
+ 	} else {
+ 		error("Unable to start HTTP request for %s", url);
+ 		ret = HTTP_START_FAILED;
+diff --git a/http.h b/http.h
+index 12de255..0bd1e84 100644
+--- a/http.h
++++ b/http.h
+@@ -78,7 +78,8 @@ extern int start_active_slot(struct active_request_slot *slot);
+ extern void run_active_slot(struct active_request_slot *slot);
+ extern void finish_active_slot(struct active_request_slot *slot);
+ extern void finish_all_active_slots(void);
+-extern int handle_curl_result(struct active_request_slot *slot);
++extern int handle_curl_result(struct active_request_slot *slot,
++			      struct slot_results *results);
+ 
+ #ifdef USE_CURL_MULTI
+ extern void fill_active_slots(void);
+diff --git a/remote-curl.c b/remote-curl.c
+index 3ec474f..6054e47 100644
+--- a/remote-curl.c
++++ b/remote-curl.c
+@@ -369,7 +369,7 @@ static int run_slot(struct active_request_slot *slot)
+ 	slot->curl_result = curl_easy_perform(slot->curl);
+ 	finish_active_slot(slot);
+ 
+-	err = handle_curl_result(slot);
++	err = handle_curl_result(slot, &results);
+ 	if (err != HTTP_OK && err != HTTP_REAUTH) {
+ 		error("RPC failed; result=%d, HTTP code = %ld",
+ 		      results.curl_result, results.http_code);
+-- 
+1.8.0
+

0001-imap-send-move-ifdef-around.patch

@@ -0,0 +1,53 @@
+From 1e1fe52923a8f582c4f50b41f0dd978d5d7c9bd3 Mon Sep 17 00:00:00 2001
+From: Junio C Hamano <gitster@pobox.com>
+Date: Fri, 15 Feb 2013 12:32:19 -0800
+Subject: [PATCH 1/3] imap-send: move #ifdef around
+
+Instead of adding an early return to the inside of the
+ssl_socket_connect() function for NO_OPENSSL compilation, split it
+into a separate stub function.
+
+No functional change, but the next change to extend ssl_socket_connect()
+will become easier to read this way.
+
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ imap-send.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/imap-send.c b/imap-send.c
+index 9992233..94f53c2 100644
+--- a/imap-send.c
++++ b/imap-send.c
+@@ -266,12 +266,17 @@ static void socket_perror(const char *func, struct imap_socket *sock, int ret)
+ 	}
+ }
+ 
++#ifdef NO_OPENSSL
+ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify)
+ {
+-#ifdef NO_OPENSSL
+ 	fprintf(stderr, "SSL requested but SSL support not compiled in\n");
+ 	return -1;
++}
++
+ #else
++
++static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify)
++{
+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
+ 	const SSL_METHOD *meth;
+ #else
+@@ -323,8 +328,8 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve
+ 	}
+ 
+ 	return 0;
+-#endif
+ }
++#endif
+ 
+ static int socket_read(struct imap_socket *sock, char *buf, int len)
+ {
+-- 
+1.8.1.2
+

0002-imap-send-the-subject-of-SSL-certificate-must-match-.patch

@@ -0,0 +1,84 @@
+From b62fb077d5504deadea931fd16075729f39b8f47 Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen <ossi@kde.org>
+Date: Fri, 15 Feb 2013 12:50:35 -0800
+Subject: [PATCH 2/3] imap-send: the subject of SSL certificate must match the
+ host
+
+We did not check a valid certificate's subject at all, and would
+have happily talked with a wrong host after connecting to an
+incorrect address and getting a valid certificate that does not
+belong to the host we intended to talk to.
+
+Signed-off-by: Oswald Buddenhagen <ossi@kde.org>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ imap-send.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/imap-send.c b/imap-send.c
+index 94f53c2..0b9c464 100644
+--- a/imap-send.c
++++ b/imap-send.c
+@@ -275,6 +275,35 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve
+ 
+ #else
+ 
++static int host_matches(const char *host, const char *pattern)
++{
++	if (pattern[0] == '*' && pattern[1] == '.') {
++		pattern += 2;
++		if (!(host = strchr(host, '.')))
++			return 0;
++		host++;
++	}
++
++	return *host && *pattern && !strcasecmp(host, pattern);
++}
++
++static int verify_hostname(X509 *cert, const char *hostname)
++{
++	int len;
++	X509_NAME *subj;
++	char cname[1000];
++
++	/* try the common name */
++	if (!(subj = X509_get_subject_name(cert)))
++		return error("cannot get certificate subject");
++	if ((len = X509_NAME_get_text_by_NID(subj, NID_commonName, cname, sizeof(cname))) < 0)
++		return error("cannot get certificate common name");
++	if (strlen(cname) == (size_t)len && host_matches(hostname, cname))
++		return 0;
++	return error("certificate owner '%s' does not match hostname '%s'",
++		     cname, hostname);
++}
++
+ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify)
+ {
+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
+@@ -284,6 +313,7 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve
+ #endif
+ 	SSL_CTX *ctx;
+ 	int ret;
++	X509 *cert;
+ 
+ 	SSL_library_init();
+ 	SSL_load_error_strings();
+@@ -327,6 +357,15 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve
+ 		return -1;
+ 	}
+ 
++	if (verify) {
++		/* make sure the hostname matches that of the certificate */
++		cert = SSL_get_peer_certificate(sock->ssl);
++		if (!cert)
++			return error("unable to get peer certificate.");
++		if (verify_hostname(cert, server.host) < 0)
++			return -1;
++	}
++
+ 	return 0;
+ }
+ #endif
+-- 
+1.8.1.2
+

0003-imap-send-support-subjectAltName-as-well.patch

@@ -0,0 +1,55 @@
+From e174744ad17a55d4df68cec97bfbf6b0c28e762b Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen <ossi@kde.org>
+Date: Fri, 15 Feb 2013 12:59:53 -0800
+Subject: [PATCH 3/3] imap-send: support subjectAltName as well
+
+Check not only the common name of the certificate subject, but also
+check the subject alternative DNS names as well, when verifying that
+the certificate matches that of the host we are trying to talk to.
+
+Signed-off-by: Oswald Buddenhagen <ossi@kde.org>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ imap-send.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/imap-send.c b/imap-send.c
+index 0b9c464..171c887 100644
+--- a/imap-send.c
++++ b/imap-send.c
+@@ -30,6 +30,7 @@ typedef void *SSL;
+ #else
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
++#include <openssl/x509v3.h>
+ #endif
+ 
+ struct store_conf {
+@@ -292,6 +293,24 @@ static int verify_hostname(X509 *cert, const char *hostname)
+ 	int len;
+ 	X509_NAME *subj;
+ 	char cname[1000];
++	int i, found;
++	STACK_OF(GENERAL_NAME) *subj_alt_names;
++
++	/* try the DNS subjectAltNames */
++	found = 0;
++	if ((subj_alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL))) {
++		int num_subj_alt_names = sk_GENERAL_NAME_num(subj_alt_names);
++		for (i = 0; !found && i < num_subj_alt_names; i++) {
++			GENERAL_NAME *subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i);
++			if (subj_alt_name->type == GEN_DNS &&
++			    strlen((const char *)subj_alt_name->d.ia5->data) == (size_t)subj_alt_name->d.ia5->length &&
++			    host_matches(hostname, (const char *)(subj_alt_name->d.ia5->data)))
++				found = 1;
++		}
++		sk_GENERAL_NAME_pop_free(subj_alt_names, GENERAL_NAME_free);
++	}
++	if (found)
++		return 0;
+ 
+ 	/* try the common name */
+ 	if (!(subj = X509_get_subject_name(cert)))
+-- 
+1.8.1.2
+

git.spec

@@ -68,7 +68,7 @@
 %endif
 
 Name:           git
-Version:        1.7.11.4
+Version:        1.7.11.7
 Release:        3%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@@ -85,6 +85,13 @@ Patch0:         git-1.5-gitweb-home-link.patch
 Patch1:         git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch
 # https://bugzilla.redhat.com/600411
 Patch3:         git-1.7-el5-emacs-support.patch
+Patch4:         0001-cvsimport-strip-all-inappropriate-tag-strings.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=865692
+Patch5:         0001-http-fix-segfault-in-handle_curl_result.patch
+Patch6:         0001-imap-send-move-ifdef-around.patch
+Patch7:         0002-imap-send-the-subject-of-SSL-certificate-must-match-.patch
+Patch8:         0003-imap-send-support-subjectAltName-as-well.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:  desktop-file-utils
@@ -303,6 +310,11 @@ Requires:       emacs-git = %{version}-%{release}
 %if %{emacs_old}
 %patch3 -p1
 %endif
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
 
 # Use these same options for every invocation of 'make'.
 # Otherwise it will rebuild in %%install due to flags changes.
@@ -550,6 +562,16 @@ rm -rf %{buildroot}
 # No files for you!
 
 %changelog
+* Wed Feb 20 2013 Adam Tkac <atkac redhat com> - 1.7.11.7-3
+- fix CVE-2013-0308
+
+* Thu Nov 22 2012 Adam Tkac <atkac redhat com> - 1.7.11.7-2
+- backport patch for remote-curl crashes (#865692)
+
+* Thu Sep 27 2012 Adam Tkac <atkac redhat com> - 1.7.11.7-1
+- update to 1.7.11.7
+-  cvsimport should skip more characters (#850640)
+
 * Tue Aug 07 2012 Adam Tkac <atkac redhat com> - 1.7.11.4-1
 - update to 1.7.11.4
 

sources

@@ -1 +1 @@
-21c7100cddee8579233a924111e829ab  git-1.7.11.4.tar.gz
+6d0dce4e58307ced3cbd64e00834270e  git-1.7.11.7.tar.gz