Bug 663609 (CVE-2010-3906)

Summary: CVE-2010-3906 Git (gitweb): XSS due to missing escaping of HTML element attributes
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: atkac, bkearney, chrisw, mjc, npajkovs, tmz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-10 12:03:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 663612, 663639, 663640    
Bug Blocks:    

Description Jan Lieskovsky 2010-12-16 11:33:41 UTC 
Cross-site scripting (XSS) flaw was found in the web
interface of Git distributed revision control system.
A remote attacker could use this flaw to execute arbitrary
HTML or scripting code by providing a certain URL
with specially-crafted values of f and fp variables.

References:
[1] http://www.bugsearch.net/en/11075/gitweb-1733-cross-site-scripting-cve-2010-3906.html?ref=3
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607248

Upstream changeset:
[3] http://repo.or.cz/w/git.git/commit/3017ed62f47ce14a959e2d315c434d4980cf4243

Public PoC (from [1]):
http://localhost/?p=foo/bar/ph33r.git;a=blobdiff;f=[XSS];fp=[XSS]
[XSS] => "><body onload="alert('xss')"> <a

Credit:
Emanuele 'emgent' Gentili
Comment 1 Jan Lieskovsky 2010-12-16 11:40:34 UTC 
This issue affects the version of the git package, as shipped
with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the git package, as shipped
with Fedora release of 13 and 14.

This issue affects the versions of the git package, as present
within EPEL-4 and EPEL-5 repositories.

Please schedule an update.
Comment 2 Jan Lieskovsky 2010-12-16 11:42:11 UTC 
Created git tracking bugs for this issue

Affects: fedora-all [bug 663612]
Comment 4 Tomas Hoger 2010-12-16 20:36:46 UTC 
Announcement of versions that fix this issue:
  http://www.spinics.net/lists/git/msg148037.html

Fixed in: 1.7.3.4, 1.7.2.5, 1.7.1.4, 1.7.0.9, 1.6.6.3, 1.6.5.9, 1.6.4.5
Comment 5 errata-xmlrpc 2010-12-21 17:52:19 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:1003 https://rhn.redhat.com/errata/RHSA-2010-1003.html