Ubuntu
gitweb package

gitweb multiple remote command injections (CVE-2008-5516 CVE-2008-5517)

Bug #317052 reported by Fumihito YOSHIDA
256
Affects Status Importance Assigned to Milestone
git (CentOS)
Fix Released
Critical
gitweb (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned

Bug Description

from Red Hat bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=479715

gitweb/gitweb.perl has two security vulns (CVE-2008-5516 CVE-2008-5517), It can cause remote command injections.

CVE-2008-5517: mistake of git_cmd_str() / affect: < 1.5.6
http://repo.or.cz/w/git.git?a=commitdiff;h=516381d5

CVE-2008-5516: git-rev-list | git-diff-tree vuln / affect: < 1.5.5
http://repo.or.cz/w/git.git?a=commitdiff;h=c582abae

I check(only quick check!) some versions source, *may be* these packages are affected.
 - Ubuntu 9.04 : 1:1.6.0.4-1ubuntu1 : not affected ( fixed in upsteram )
 - Ubuntu 8.10 : 1:1.5.6.3-1.1ubuntu2 : not affected ( fixed in upsteram )
 - Ubuntu 8.04 : 1:1.5.4.3-1ubuntu2 <= CVE-2008-5517, CVE-2008-5516
 - Ubuntu 7.10 : (unchecked) <= may be affected.

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Sebastian Krahmer of the SuSE security team discovered a remote command injection flaws in the gitweb, caused by an insufficient checking of the inputs used to build argument to perl's open() function. Remote attacker could use these flaws to run arbitrary commands with the privileges of the web server executing gitweb CGI scripts.

Issues are already fixed upstream in the latest git branches. It seems that the security consequences were not noticed when fixes were applied upstream, as multiple occurrences of the similar flaws were fixed in different upstream versions:

CVE-2008-5517
  http://repo.or.cz/w/git.git?a=commitdiff;h=516381d5
  (fixes issues in git_snapshot and git_object, first occurred in 1.5.6)

CVE-2008-5516
  http://repo.or.cz/w/git.git?a=commitdiff;h=c582abae
  (fixes issue in git_search, first occurred in 1.5.5)

All current Fedora packages use version 1.5.6+, so neither of the issue apply to them. EPEL versions should be affected by one or both of the issues.

Revision history for this message
In , Todd (todd-redhat-bugs) wrote :

Looking at this, am I correct that EL-4 isn't vulnerable to either of these since it includes git-1.5.4.7?

For EL-5, git is at 1.5.5.6, which includes c582abae. So, we just need to add 516381d5 to correct CVE-2008-5517. Sound right?

Revision history for this message
In , Todd (todd-redhat-bugs) wrote :

(In reply to comment #1)
> Looking at this, am I correct that EL-4 isn't vulnerable to either of these
> since it includes git-1.5.4.7?

Sorry for being dense there. I realized a bit later that 1.5.4.7 indeed was vulnerable to both issues. (I read the "first occurred in ..." part as when the vulnerability first occurred, not when the commit which fixes it occurred.)

Are there testcases available to verify the fixes? The commits from git.git require a little massaging to apply to 1.5.4.7, so checking that the issues are fixed would be good.

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Right, EPEL-4 should be affected by both, "first occurred in" was meant as "first fixed in". I have not tried to find first affected version, it may go way back.

I do not have any ready to use test case, though based on comments in infrastructure ticket 1120, someone's been able to re-create one successfully.

As for EPEL-4 patch, it may be possible to address -5516 by using quote_command() (introduced in -5517 patch) on the open() argument.

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Smaller fix for -5516 was used in warthog9's tree (should be used on kernel.org):

http://git.kernel.org/?p=git/warthog9/gitweb.git;a=commitdiff;h=bf17b83a

Revision history for this message
In , Todd (todd-redhat-bugs) wrote :

Thanks Tomas. The patch that I had matched the upstream c582abae pretty well. Here's the small difference:

 diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
-index 922dee9..ec73cb1 100755
+index 86a6ced..e011393 100755
 --- a/gitweb/gitweb.perl
 +++ b/gitweb/gitweb.perl
-@@ -5305,51 +5305,19 @@ sub git_search {
+@@ -5199,50 +5199,18 @@ sub git_search {
    print "<table class=\"pickaxe search\">\n";
    my $alternate = 1;
    $/ = "\n";
 - my $git_command = git_cmd_str();
 - my $searchqtext = $searchtext;
 - $searchqtext =~ s/'/'\\''/;
-- my $pickaxe_flags = $search_use_regexp ? '--pickaxe-regex' : '';
 - open my $fd, "-|", "$git_command rev-list $hash | " .
-- "$git_command diff-tree -r --stdin -S\'$searchqtext\' $pickaxe_flags";
+- "$git_command diff-tree -r --stdin -S\'$searchqtext\'";
 + open my $fd, '-|', git_cmd(), '--no-pager', 'log', @diff_opts,
-+ '--pretty=format:%H', '--no-abbrev', '--raw', "-S$searchtext",
-+ ($search_use_regexp ? '--pickaxe-regex' : ());
++ '--pretty=format:%H', '--no-abbrev', '--raw', "-S$searchtext";
    undef %co;
    my @files;
    while (my $line = <$fd>) {

(also at http://tmz.fedorapeople.org/tmp/git-1.5.4.7-CVE-2008-5516-interdiff.diff in case Bugzilla mangles it. The full diff for updating git-1.5.4.7 on EL-4 is http://tmz.fedorapeople.org/tmp/git-1.5.4.7-2.diff. Unless that looks wildly wrong, I'll apply it today.)

This is much closer to the upstream patch, which hopefully will minimize the chance of introducing new bugs.

About testcases, I did get one for -5517 from Ricky yesterday. It's just -5516 that I don't have. If you run across one, let me know (gpg key 0xBEAF0CE3 if you want to send privately).

Revision history for this message
In , Todd (todd-redhat-bugs) wrote :

I just built git-1.5.4.7-2.el4¹ and sent a note to epel_signers asking to get it pushed. git-1.5.5.6-2.el5 is already in the stable EPEL updates.

¹ http://buildsys.fedoraproject.org/logs/fedora-4-epel/1197-git-1.5.4.7-2.el4/

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community-supported. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Changed in gitweb:
status: New → Confirmed
Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Created attachment 329438
SuSE patch

Extracted from git-1.5.2.4-24.4.src.rpm, quote_command() was used in all three cases.

Bug Watch Updater (bug-watch-updater)
Changed in git:
status: Unknown → Confirmed
Revision history for this message
David Leadbeater (launchpad-net-dgl) wrote :

Here's a patch for it in hardy, would be good to see this released..

Marc Deslauriers (mdeslaur)
Changed in gitweb:
status: Confirmed → In Progress
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

An update for this was released.

Thanks for the diff, David!

http://www.ubuntu.com/usn/USN-723-1

Changed in gitweb:
status: In Progress → Fix Released
Steve Beattie (sbeattie)
Changed in gitweb (Ubuntu Hardy):
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in git (CentOS):
importance: Unknown → Critical
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.