rpms/git/F-9 git-1.6.0.6-daemon-extra-args.patch, NONE, 1.1 git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch, NONE, 1.1 git.spec, 1.70, 1.71 git.xinetd, 1.2, 1.3

Todd M. Zullinger tmz at fedoraproject.org
Fri Jun 19 13:35:20 UTC 2009 

Author: tmz

Update of /cvs/pkgs/rpms/git/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv406

Modified Files:
	git.spec git.xinetd 
Added Files:
	git-1.6.0.6-daemon-extra-args.patch 
	git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch 
Log Message:
Fix git-daemon hang on invalid input (CVE-2009-2108, bug 505761)

- Ignore Branches output from cvsps-2.2b1 (bug 490602)
- Escape newline in git-daemon xinetd description (bug 502393)


git-1.6.0.6-daemon-extra-args.patch:

--- NEW FILE git-1.6.0.6-daemon-extra-args.patch ---
>From ccf9fce9da3cda9ee869c70a048971c7f231a78a Mon Sep 17 00:00:00 2001
From: Shawn O. Pearce <spearce at spearce.org>
Date: Thu, 4 Jun 2009 18:33:32 -0700
Subject: [PATCH] daemon: Strictly parse the "extra arg" part of the command

This is a backport of upstream commit 73bb33a.

Since 1.4.4.5 (49ba83fb67 "Add virtualization support to git-daemon")
git daemon enters an infinite loop and never terminates if a client
hides any extra arguments in the initial request line which is not
exactly "\0host=blah\0".

Since that change, a client must never insert additional extra
arguments, or attempt to use any argument other than "host=", as
any daemon will get stuck parsing the request line and will never
complete the request.

Since the client can't tell if the daemon is patched or not, it
is not possible to know if additional extra args might actually be
able to be safely requested.

If we ever need to extend the git daemon protocol to support a new
feature, we may have to do something like this to the exchange:

  # If both support git:// v2
  #
  C: 000cgit://v2
  S: 0010ok host user
  C: 0018host git.kernel.org
  C: 0027git-upload-pack /pub/linux-2.6.git
  S: ...git-upload-pack header...

  # If client supports git:// v2, server does not:
  #
  C: 000cgit://v2
  S: <EOF>

  C: 003bgit-upload-pack /pub/linux-2.6.git\0host=git.kernel.org\0
  S: ...git-upload-pack header...

This requires the client to create two TCP connections to talk to
an older git daemon, however all daemons since the introduction of
daemon.c will safely reject the unknown "git://v2" command request,
so the client can quite easily determine the server supports an
older protocol.

Signed-off-by: Shawn O. Pearce <spearce at spearce.org>
Signed-off-by: Junio C Hamano <gitster at pobox.com>
---
 connect.c |    5 ++++-
 daemon.c  |   11 ++++++-----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/connect.c b/connect.c
index dd96f8e..c7a9f6d 100644
--- a/connect.c
+++ b/connect.c
@@ -573,7 +573,10 @@ struct child_process *git_connect(int fd[2], const char *url_orig,
 			git_tcp_connect(fd, host, flags);
 		/*
 		 * Separate original protocol components prog and path
-		 * from extended components with a NUL byte.
+		 * from extended host header with a NUL byte.
+		 *
+		 * Note: Do not add any other headers here!  Doing so
+		 * will cause older git-daemon servers to crash.
 		 */
 		packet_write(fd[1],
 			     "%s %s%chost=%s%c",
diff --git a/daemon.c b/daemon.c
index 8dcde73..325766e 100644
--- a/daemon.c
+++ b/daemon.c
@@ -432,16 +432,15 @@ static void make_service_overridable(const char *name, int ena)
 }
 
 /*
- * Separate the "extra args" information as supplied by the client connection.
- * Any resulting data is squirreled away in the given interpolation table.
+ * Read the host as supplied by the client connection.
  */
-static void parse_extra_args(struct interp *table, char *extra_args, int buflen)
+static void parse_host_arg(struct interp *table, char *extra_args, int buflen)
 {
 	char *val;
 	int vallen;
 	char *end = extra_args + buflen;
 
-	while (extra_args < end && *extra_args) {
+	if (extra_args < end && *extra_args) {
 		saw_extended_args = 1;
 		if (strncasecmp("host=", extra_args, 5) == 0) {
 			val = extra_args + 5;
@@ -461,6 +460,8 @@ static void parse_extra_args(struct interp *table, char *extra_args, int buflen)
 			/* On to the next one */
 			extra_args = val + vallen;
 		}
+		if (extra_args < end && *extra_args)
+			die("Invalid request");
 	}
 }
 
@@ -580,7 +581,7 @@ static int execute(struct sockaddr *addr)
 	interp_set_entry(interp_table, INTERP_SLOT_PERCENT, "%");
 
 	if (len != pktlen) {
-	    parse_extra_args(interp_table, line + len + 1, pktlen - len - 1);
+	    parse_host_arg(interp_table, line + len + 1, pktlen - len - 1);
 	    fill_in_extra_table_entries(interp_table);
 	}
 
-- 
1.6.3.2


git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch:

--- NEW FILE git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch ---
>From 09891c65a5f7409ce0bd37daced0ff31fbb1b1c9 Mon Sep 17 00:00:00 2001
From: Todd Zullinger <tmz at pobox.com>
Date: Mon, 23 Mar 2009 00:03:36 -0400
Subject: [PATCH] git-cvsimport: Ignore cvsps-2.2b1 Branches: output

Signed-off-by: Todd Zullinger <tmz at pobox.com>
---
 git-cvsimport.perl |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/git-cvsimport.perl b/git-cvsimport.perl
index e439202..d020f1a 100755
--- a/git-cvsimport.perl
+++ b/git-cvsimport.perl
@@ -952,7 +952,7 @@ while (<CVS>) {
 	} elsif (/^-+$/) { # end of unknown-line processing
 		$state = 1;
 	} elsif ($state != 11) { # ignore stuff when skipping
-		print STDERR "* UNKNOWN LINE * $_\n";
+		print STDERR "* UNKNOWN LINE * $_\n" unless /^Branches: /;
 	}
 }
 commit() if $branch and $state != 11;
-- 
1.6.2.2



Index: git.spec
===================================================================
RCS file: /cvs/pkgs/rpms/git/F-9/git.spec,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -p -r1.70 -r1.71
--- git.spec	2 Mar 2009 18:56:52 -0000	1.70
+++ git.spec	19 Jun 2009 13:34:49 -0000	1.71
@@ -1,7 +1,7 @@
 # Pass --without docs to rpmbuild if you don't want the documentation
 Name: 		git
 Version: 	1.6.0.6
-Release: 	3%{?dist}
+Release: 	4%{?dist}
 Summary:  	Core git tools
 License: 	GPLv2
 Group: 		Development/Tools
@@ -11,6 +11,9 @@ Source1:	git-init.el
 Source2:	git.xinetd
 Source3:	git.conf.httpd
 Patch0:		git-1.5-gitweb-home-link.patch
+Patch1:         git-1.6.0.6-daemon-extra-args.patch
+# https://bugzilla.redhat.com/490602
+Patch2:         git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch
 BuildRequires:	zlib-devel >= 1.2, openssl-devel, libcurl-devel, expat-devel, emacs, gettext %{!?_without_docs:, xmlto, asciidoc > 6.0.3}
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -130,6 +133,8 @@ Requires:      git = %{version}-%{releas
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 
 # Use these same options for every invocation of 'make'.
 # Otherwise it will rebuild in %%install due to flags changes.
@@ -269,6 +274,11 @@ rm -rf $RPM_BUILD_ROOT
 # No files for you!
 
 %changelog
+* Fri Jun 19 2009 Todd Zullinger <tmz at pobox.com> - 1.6.0.6-4
+- Fix git-daemon hang on invalid input (CVE-2009-2108, bug 505761)
+- Ignore Branches output from cvsps-2.2b1 (bug 490602)
+- Escape newline in git-daemon xinetd description (bug 502393)
+
 * Mon Mar 02 2009 Todd Zullinger <tmz at pobox.com> - 1.6.0.6-3
 - Enable parallel delta searching when packing objects (Roland McGrath)
 - Consolidate build/install options in %%make_git (Roland McGrath)


Index: git.xinetd
===================================================================
RCS file: /cvs/pkgs/rpms/git/F-9/git.xinetd,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- git.xinetd	2 Mar 2009 18:56:52 -0000	1.2
+++ git.xinetd	19 Jun 2009 13:34:49 -0000	1.3
@@ -1,5 +1,5 @@
 # default: off
-# description: The git dæmon allows git repositories to be exported using
+# description: The git dæmon allows git repositories to be exported using \
 #	the git:// protocol.
 
 service git

More information about the fedora-extras-commits mailing list