Acknowledgement sent
to Stefan Göbel <debian@ntworks.net>:
New Bug report received and forwarded. Copy sent to debian@ntworks.net, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jonny Lamb <jonny@debian.org>.
(Tue, 26 Jan 2010 20:51:10 GMT) (full text, mbox, link).
Package: trac-git
Version: 0.0.20080710-3
Severity: grave
Tags: patch security
Justification: user security hole
The trac-git package in Debian Lenny - if enabled in Trac - allows a
remote attacker to execute arbitrary commands on the system with the
rights of the user running Trac. The attacker must have the rights to
browse the repository in order to exploit this issue, other parts of
Trac are most likely not affected.
The attached patch fixes the problem, it is not thoroughly tested,
though, but seems to work fine on my test system with a few Git
repositories.
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-lenny.2.6.26-osiris.full.0 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages trac-git depends on:
ii git-core 1:1.5.6.5-3+lenny2 fast, scalable, distributed revisi
ii python 2.5.2-3 An interactive high-level object-o
ii python-central 0.6.8 register and build utility for Pyt
ii trac 0.11.1-2.1 Enhanced wiki and issue tracking s
trac-git recommends no packages.
trac-git suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#567039; Package trac-git.
(Wed, 03 Feb 2010 13:00:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonny Lamb <jonny@debian.org>:
Extra info received and forwarded to list.
(Wed, 03 Feb 2010 13:00:08 GMT) (full text, mbox, link).
Hi.
On Tue, Jan 26, 21:49:42 +0100, Stefan Göbel wrote:
> The trac-git package in Debian Lenny - if enabled in Trac - allows a
> remote attacker to execute arbitrary commands on the system with the
> rights of the user running Trac. The attacker must have the rights to
> browse the repository in order to exploit this issue, other parts of
> Trac are most likely not affected.
>
> The attached patch fixes the problem, it is not thoroughly tested,
> though, but seems to work fine on my test system with a few Git
> repositories.
Sorry for the delay in responding, I've been away from my emails for a
few days, but I'm back now.
Anyway, thanks for this and the patch. I just wanted to note that I'd
not ignored this and I'll try and get something out today.
Cheerio,
--
Jonny Lamb, UK
jonny@debian.org
Information forwarded
to debian-bugs-dist@lists.debian.org, Jonny Lamb <jonny@debian.org>: Bug#567039; Package trac-git.
(Wed, 03 Feb 2010 15:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Jonny Lamb <jonny@debian.org>.
(Wed, 03 Feb 2010 15:18:05 GMT) (full text, mbox, link).
* Stefan Göbel:
> Package: trac-git
> Version: 0.0.20080710-3
> Severity: grave
> Tags: patch security
> Justification: user security hole
>
>
> The trac-git package in Debian Lenny - if enabled in Trac - allows a
> remote attacker to execute arbitrary commands on the system with the
> rights of the user running Trac. The attacker must have the rights to
> browse the repository in order to exploit this issue, other parts of
> Trac are most likely not affected.
Thanks. I have assigned CVE-2010-0394 to this issue.
Reply sent
to Jonny Lamb <jonny@debian.org>:
You have taken responsibility.
(Thu, 04 Feb 2010 00:06:13 GMT) (full text, mbox, link).
Notification sent
to Stefan Göbel <debian@ntworks.net>:
Bug acknowledged by developer.
(Thu, 04 Feb 2010 00:06:13 GMT) (full text, mbox, link).
Version: 0.0.20080710-3+lenny2
On Wed, Feb 03, 16:01:44 +0100, Florian Weimer wrote:
> Thanks. I have assigned CVE-2010-0394 to this issue.
Fixed in a new security update. Thanks to Stefan Fritsch for fixing my
screw-up in building the first package.
--
Jonny Lamb, UK
jonny@debian.org
Reply sent
to Jonny Lamb <jonny@debian.org>:
You have taken responsibility.
(Thu, 04 Feb 2010 13:57:03 GMT) (full text, mbox, link).
Notification sent
to Stefan Göbel <debian@ntworks.net>:
Bug acknowledged by developer.
(Thu, 04 Feb 2010 13:57:03 GMT) (full text, mbox, link).
Subject: Bug#567039: fixed in trac-git 0.0.20080710-3+lenny1
Date: Thu, 04 Feb 2010 13:52:43 +0000
Source: trac-git
Source-Version: 0.0.20080710-3+lenny1
We believe that the bug you reported is fixed in the latest version of
trac-git, which is due to be installed in the Debian FTP archive:
trac-git_0.0.20080710-3+lenny1.diff.gz
to main/t/trac-git/trac-git_0.0.20080710-3+lenny1.diff.gz
trac-git_0.0.20080710-3+lenny1.dsc
to main/t/trac-git/trac-git_0.0.20080710-3+lenny1.dsc
trac-git_0.0.20080710-3+lenny1_all.deb
to main/t/trac-git/trac-git_0.0.20080710-3+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 567039@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonny Lamb <jonny@debian.org> (supplier of updated trac-git package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 03 Feb 2010 15:27:44 +0000
Source: trac-git
Binary: trac-git
Architecture: source all
Version: 0.0.20080710-3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Jonny Lamb <jonny@debian.org>
Changed-By: Jonny Lamb <jonny@debian.org>
Description:
trac-git - Git version control backend for Trac
Closes: 567039
Changes:
trac-git (0.0.20080710-3+lenny1) stable-security; urgency=high
.
* debian/patches/:
+ Updated 02-508019-defunct-processes.diff to what upstream actually
did so that we don't introduce security holes. Upstream bug (linked
to from patch) explains bug and patch more thoroughly. Thanks to
Stefan Göbel for letting us know about the bug and providing a
patch. This is CVE-2010-0394. (Closes: #567039)
Checksums-Sha1:
2803ecf3649431f5c99f6cf520a4c034c814915c 1312 trac-git_0.0.20080710-3+lenny1.dsc
62c4055570ce817e9b74150fb5dd414f4b219d7d 28505 trac-git_0.0.20080710.orig.tar.gz
ee4b9ae2921c86352defa67b89cb422126dc4804 4262 trac-git_0.0.20080710-3+lenny1.diff.gz
2f6f73f6a0d98fa275baae6c457fde3dbe3d56d2 16920 trac-git_0.0.20080710-3+lenny1_all.deb
Checksums-Sha256:
5dfb8f27cffca98018b539f5cda06435bdef7a7384c21c96605ae59179f757f9 1312 trac-git_0.0.20080710-3+lenny1.dsc
58cde4328e5907af1f0684ab154a758e0ed4e9a34fa0c9c8596a18dcccc459a4 28505 trac-git_0.0.20080710.orig.tar.gz
e73ffd86896ae9ae70757d125fd748df73d75b5f4a327b1bae715e21e5e18b5e 4262 trac-git_0.0.20080710-3+lenny1.diff.gz
14abe2f3ea18ab03f98e79b14274ef57c85b5e9f587b3ab2e73ee773d8c5c962 16920 trac-git_0.0.20080710-3+lenny1_all.deb
Files:
4357cd66c8df3ac03273f9f858d14928 1312 python optional trac-git_0.0.20080710-3+lenny1.dsc
c8220478c501b7ab3e6df97cea6d2e26 28505 python optional trac-git_0.0.20080710.orig.tar.gz
af5bbdd092dfe8d953bcb2183c1228c4 4262 python optional trac-git_0.0.20080710-3+lenny1.diff.gz
d91bf3dc4b15e1c999f7dc5e65e0de65 16920 python optional trac-git_0.0.20080710-3+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktpllMACgkQwYr7ny4DlAJsbQCdGwrCGmR6t0tzs2tIfHeM2+/+
0B8AoLEy7r/6EDdOKZbZEKfDuLIe3wrZ
=yOHj
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Jonny Lamb <jonny@debian.org>: Bug#567039; Package trac-git.
(Thu, 04 Feb 2010 16:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to The Anarcat <anarcat@anarcat.ath.cx>:
Extra info received and forwarded to list. Copy sent to Jonny Lamb <jonny@debian.org>.
(Thu, 04 Feb 2010 16:24:06 GMT) (full text, mbox, link).
Has the upstream maintainer been contacted so that everyone benefits
from the security fix?
Thanks,
--
Quidquid latine dictum sit, altum sonatur.
Whatever is said in Latin sounds profound.
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#567039; Package trac-git.
(Thu, 04 Feb 2010 17:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonny Lamb <jonny@debian.org>:
Extra info received and forwarded to list.
(Thu, 04 Feb 2010 17:51:06 GMT) (full text, mbox, link).
To: The Anarcat <anarcat@anarcat.ath.cx>, 567039@bugs.debian.org
Subject: Re: Bug#567039: Shouldn't this be filed upstream?
Date: Thu, 4 Feb 2010 17:49:41 +0000
On Thu, Feb 04, 11:22:49 -0500, The Anarcat wrote:
> Has the upstream maintainer been contacted so that everyone benefits
> from the security fix?
No, it was a Debian-specific problem.
--
Jonny Lamb, UK
jonny@debian.org
Added tag(s) lenny.
Request was from Luk Claes <luk@debian.org>
to control@bugs.debian.org.
(Sat, 13 Feb 2010 09:18:03 GMT) (full text, mbox, link).
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Sat, 14 Aug 2010 18:48:03 GMT) (full text, mbox, link).
Notification sent
to Stefan Göbel <debian@ntworks.net>:
Bug acknowledged by developer.
(Sat, 14 Aug 2010 18:48:03 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.