Debian Bug report logs - #567039
trac-git: Arbitrary command execution

version graph

Package: trac-git; Maintainer for trac-git is Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>; Source for trac-git is src:trac-git.

Reported by: Stefan Göbel <debian@ntworks.net>

Date: Tue, 26 Jan 2010 20:51:07 UTC

Severity: grave

Tags: lenny, patch, security

Found in version trac-git/0.0.20080710-3

Fixed in versions 0.0.20080710-3+lenny2, trac-git/0.0.20080710-3+lenny1, 0.0.20090320-1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian@ntworks.net, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jonny Lamb <jonny@debian.org>:
Bug#567039; Package trac-git. (Tue, 26 Jan 2010 20:51:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Göbel <debian@ntworks.net>:
New Bug report received and forwarded. Copy sent to debian@ntworks.net, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jonny Lamb <jonny@debian.org>. (Tue, 26 Jan 2010 20:51:10 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Göbel <debian@ntworks.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: trac-git: Arbitrary command execution
Date: Tue, 26 Jan 2010 21:49:42 +0100
[Message part 1 (text/plain, inline)]
Package: trac-git
Version: 0.0.20080710-3
Severity: grave
Tags: patch security
Justification: user security hole


The trac-git package in Debian Lenny - if enabled in Trac - allows a
remote attacker to execute arbitrary commands on the system with the
rights of the user running Trac. The attacker must have the rights to
browse the repository in order to exploit this issue, other parts of
Trac are most likely not affected.

The attached patch fixes the problem, it is not thoroughly tested,
though, but seems to work fine on my test system with a few Git
repositories.

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-lenny.2.6.26-osiris.full.0 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages trac-git depends on:
ii  git-core              1:1.5.6.5-3+lenny2 fast, scalable, distributed revisi
ii  python                2.5.2-3            An interactive high-level object-o
ii  python-central        0.6.8              register and build utility for Pyt
ii  trac                  0.11.1-2.1         Enhanced wiki and issue tracking s

trac-git recommends no packages.

trac-git suggests no packages.

-- no debconf information
[patch.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#567039; Package trac-git. (Wed, 03 Feb 2010 13:00:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonny Lamb <jonny@debian.org>:
Extra info received and forwarded to list. (Wed, 03 Feb 2010 13:00:08 GMT) Full text and rfc822 format available.

Message #10 received at 567039@bugs.debian.org (full text, mbox):

From: Jonny Lamb <jonny@debian.org>
To: Stefan Göbel <debian@ntworks.net>, 567039@bugs.debian.org
Subject: Re: Bug#567039: trac-git: Arbitrary command execution
Date: Wed, 3 Feb 2010 12:56:30 +0000
Hi.

On Tue, Jan 26, 21:49:42 +0100, Stefan Göbel wrote:
> The trac-git package in Debian Lenny - if enabled in Trac - allows a
> remote attacker to execute arbitrary commands on the system with the
> rights of the user running Trac. The attacker must have the rights to
> browse the repository in order to exploit this issue, other parts of
> Trac are most likely not affected.
> 
> The attached patch fixes the problem, it is not thoroughly tested,
> though, but seems to work fine on my test system with a few Git
> repositories.

Sorry for the delay in responding, I've been away from my emails for a
few days, but I'm back now.

Anyway, thanks for this and the patch. I just wanted to note that I'd
not ignored this and I'll try and get something out today.

Cheerio,

-- 
Jonny Lamb, UK
jonny@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Jonny Lamb <jonny@debian.org>:
Bug#567039; Package trac-git. (Wed, 03 Feb 2010 15:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Jonny Lamb <jonny@debian.org>. (Wed, 03 Feb 2010 15:18:05 GMT) Full text and rfc822 format available.

Message #15 received at 567039@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Stefan Göbel <debian@ntworks.net>
Cc: 567039@bugs.debian.org
Subject: Re: Bug#567039: trac-git: Arbitrary command execution
Date: Wed, 03 Feb 2010 16:01:44 +0100
* Stefan Göbel:

> Package: trac-git
> Version: 0.0.20080710-3
> Severity: grave
> Tags: patch security
> Justification: user security hole
>
>
> The trac-git package in Debian Lenny - if enabled in Trac - allows a
> remote attacker to execute arbitrary commands on the system with the
> rights of the user running Trac. The attacker must have the rights to
> browse the repository in order to exploit this issue, other parts of
> Trac are most likely not affected.

Thanks.  I have assigned CVE-2010-0394 to this issue.




Reply sent to Jonny Lamb <jonny@debian.org>:
You have taken responsibility. (Thu, 04 Feb 2010 00:06:13 GMT) Full text and rfc822 format available.

Notification sent to Stefan Göbel <debian@ntworks.net>:
Bug acknowledged by developer. (Thu, 04 Feb 2010 00:06:13 GMT) Full text and rfc822 format available.

Message #20 received at 567039-done@bugs.debian.org (full text, mbox):

From: Jonny Lamb <jonny@debian.org>
To: 567039-done@bugs.debian.org
Subject: Re: Bug#567039: trac-git: Arbitrary command execution
Date: Thu, 4 Feb 2010 00:04:12 +0000
Version: 0.0.20080710-3+lenny2

On Wed, Feb 03, 16:01:44 +0100, Florian Weimer wrote:
> Thanks.  I have assigned CVE-2010-0394 to this issue.

Fixed in a new security update. Thanks to Stefan Fritsch for fixing my
screw-up in building the first package.

-- 
Jonny Lamb, UK
jonny@debian.org




Reply sent to Jonny Lamb <jonny@debian.org>:
You have taken responsibility. (Thu, 04 Feb 2010 13:57:03 GMT) Full text and rfc822 format available.

Notification sent to Stefan Göbel <debian@ntworks.net>:
Bug acknowledged by developer. (Thu, 04 Feb 2010 13:57:03 GMT) Full text and rfc822 format available.

Message #25 received at 567039-close@bugs.debian.org (full text, mbox):

From: Jonny Lamb <jonny@debian.org>
To: 567039-close@bugs.debian.org
Subject: Bug#567039: fixed in trac-git 0.0.20080710-3+lenny1
Date: Thu, 04 Feb 2010 13:52:43 +0000
Source: trac-git
Source-Version: 0.0.20080710-3+lenny1

We believe that the bug you reported is fixed in the latest version of
trac-git, which is due to be installed in the Debian FTP archive:

trac-git_0.0.20080710-3+lenny1.diff.gz
  to main/t/trac-git/trac-git_0.0.20080710-3+lenny1.diff.gz
trac-git_0.0.20080710-3+lenny1.dsc
  to main/t/trac-git/trac-git_0.0.20080710-3+lenny1.dsc
trac-git_0.0.20080710-3+lenny1_all.deb
  to main/t/trac-git/trac-git_0.0.20080710-3+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 567039@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonny Lamb <jonny@debian.org> (supplier of updated trac-git package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 03 Feb 2010 15:27:44 +0000
Source: trac-git
Binary: trac-git
Architecture: source all
Version: 0.0.20080710-3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Jonny Lamb <jonny@debian.org>
Changed-By: Jonny Lamb <jonny@debian.org>
Description: 
 trac-git   - Git version control backend for Trac
Closes: 567039
Changes: 
 trac-git (0.0.20080710-3+lenny1) stable-security; urgency=high
 .
   * debian/patches/:
     + Updated 02-508019-defunct-processes.diff to what upstream actually
       did so that we don't introduce security holes. Upstream bug (linked
       to from patch) explains bug and patch more thoroughly. Thanks to
       Stefan Göbel for letting us know about the bug and providing a
       patch. This is CVE-2010-0394. (Closes: #567039)
Checksums-Sha1: 
 2803ecf3649431f5c99f6cf520a4c034c814915c 1312 trac-git_0.0.20080710-3+lenny1.dsc
 62c4055570ce817e9b74150fb5dd414f4b219d7d 28505 trac-git_0.0.20080710.orig.tar.gz
 ee4b9ae2921c86352defa67b89cb422126dc4804 4262 trac-git_0.0.20080710-3+lenny1.diff.gz
 2f6f73f6a0d98fa275baae6c457fde3dbe3d56d2 16920 trac-git_0.0.20080710-3+lenny1_all.deb
Checksums-Sha256: 
 5dfb8f27cffca98018b539f5cda06435bdef7a7384c21c96605ae59179f757f9 1312 trac-git_0.0.20080710-3+lenny1.dsc
 58cde4328e5907af1f0684ab154a758e0ed4e9a34fa0c9c8596a18dcccc459a4 28505 trac-git_0.0.20080710.orig.tar.gz
 e73ffd86896ae9ae70757d125fd748df73d75b5f4a327b1bae715e21e5e18b5e 4262 trac-git_0.0.20080710-3+lenny1.diff.gz
 14abe2f3ea18ab03f98e79b14274ef57c85b5e9f587b3ab2e73ee773d8c5c962 16920 trac-git_0.0.20080710-3+lenny1_all.deb
Files: 
 4357cd66c8df3ac03273f9f858d14928 1312 python optional trac-git_0.0.20080710-3+lenny1.dsc
 c8220478c501b7ab3e6df97cea6d2e26 28505 python optional trac-git_0.0.20080710.orig.tar.gz
 af5bbdd092dfe8d953bcb2183c1228c4 4262 python optional trac-git_0.0.20080710-3+lenny1.diff.gz
 d91bf3dc4b15e1c999f7dc5e65e0de65 16920 python optional trac-git_0.0.20080710-3+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktpllMACgkQwYr7ny4DlAJsbQCdGwrCGmR6t0tzs2tIfHeM2+/+
0B8AoLEy7r/6EDdOKZbZEKfDuLIe3wrZ
=yOHj
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Jonny Lamb <jonny@debian.org>:
Bug#567039; Package trac-git. (Thu, 04 Feb 2010 16:24:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to The Anarcat <anarcat@anarcat.ath.cx>:
Extra info received and forwarded to list. Copy sent to Jonny Lamb <jonny@debian.org>. (Thu, 04 Feb 2010 16:24:06 GMT) Full text and rfc822 format available.

Message #30 received at 567039@bugs.debian.org (full text, mbox):

From: The Anarcat <anarcat@anarcat.ath.cx>
To: 567039@bugs.debian.org
Subject: Shouldn't this be filed upstream?
Date: Thu, 4 Feb 2010 11:22:49 -0500
[Message part 1 (text/plain, inline)]
Has the upstream maintainer been contacted so that everyone benefits
from the security fix?

Thanks,

-- 
Quidquid latine dictum sit, altum sonatur.
Whatever is said in Latin sounds profound.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#567039; Package trac-git. (Thu, 04 Feb 2010 17:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonny Lamb <jonny@debian.org>:
Extra info received and forwarded to list. (Thu, 04 Feb 2010 17:51:06 GMT) Full text and rfc822 format available.

Message #35 received at 567039@bugs.debian.org (full text, mbox):

From: Jonny Lamb <jonny@debian.org>
To: The Anarcat <anarcat@anarcat.ath.cx>, 567039@bugs.debian.org
Subject: Re: Bug#567039: Shouldn't this be filed upstream?
Date: Thu, 4 Feb 2010 17:49:41 +0000
On Thu, Feb 04, 11:22:49 -0500, The Anarcat wrote:
> Has the upstream maintainer been contacted so that everyone benefits
> from the security fix?

No, it was a Debian-specific problem.

-- 
Jonny Lamb, UK
jonny@debian.org




Added tag(s) lenny. Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. (Sat, 13 Feb 2010 09:18:03 GMT) Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sat, 14 Aug 2010 18:48:03 GMT) Full text and rfc822 format available.

Notification sent to Stefan Göbel <debian@ntworks.net>:
Bug acknowledged by developer. (Sat, 14 Aug 2010 18:48:03 GMT) Full text and rfc822 format available.

Message #42 received at 567039-done@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 567039-done@bugs.debian.org
Subject: closing for testing/unstable aswell
Date: Sat, 14 Aug 2010 18:01:25 +0200
[Message part 1 (text/plain, inline)]
Version: 0.0.20090320-1

Closing this bug with the version for testing/unstable aswell.
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 12 Sep 2010 07:33:51 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 18:54:29 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.