Bug 1612379 (CVE-2018-14912)

Summary: CVE-2018-14912 cgit: directory traversal vulnerability in cgit < 1.2.1
Product: [Other] Security Response Reporter: Todd Zullinger <tmz>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, praiskup, tmz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cgit 1.2.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:04:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Todd Zullinger 2018-08-03 21:28:07 UTC 
A directory traversal vulnerability was discovered in cgit prior to 1.2.1.  The issue dates back to cgit-0.8 (commit https://git.zx2c4.com/cgit/commit/?id=02a545e63), from 2008.

When enable-http-clone is enabled (as it is by default), it is trivial to retrieve any file readable by the webserver account.  For example, with cgit serving a repository in /var/lib/git, the following URL can be used to read /etc/passwd:

    http://localhost/cgit/git.git/objects/?path=../../../../../etc/passwd

Setting enable-http-clone=0 in /etc/cgitrc can be used to mitigate the issue. 

Note: the cgit cache must be manually cleared or the 5 minute TTL must expire regardless of whether the above mitigation is used or the patched packages are deployed.

This issue was reported by Jann Horn.

References:
https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html

Upstream Patch:
https://git.zx2c4.com/cgit/commit/?id=53efaf30b

Updates for all Fedora and EPEL releases were created earlier today, prior to the assignment of the CVE:

F27: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a407b85547
F28: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a5a7f83e1b
EL6: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-40277073c5
EL7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-38987c542e