Bug 680905 (CVE-2011-1027)

Summary: CVE-2011-1027 cgit: invalid hex escape (e.g., %GG) in query triggers infinite loop
Product: [Other] Security Response Reporter: Jim Meyering <meyering>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team, tmz, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-24 20:13:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
infloop fix none

Description Jim Meyering 2011-02-28 12:35:00 UTC 
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15pre) Gecko/20110227 Namoroka/3.6.15pre

any cgit URL containing a hex escape like %GG, where GG is not a pair of hexadecimal digits, causes cgit.cgi to go into an infinite loop.
Affects v0.8.3.4, upstream latest-from-git, as well as versions in Fedora.

Reproducible: Always

Steps to Reproduce:
1. find a cgit server and give it a request like http://git.gnome.org/browse/gdlmm/commit/?id=%gg
Actual Results:  
infloop on server, client hangs indefinitely

Expected Results:  
no server infloop, client returns error immediately

patch below
Comment 1 Jim Meyering 2011-02-28 12:35:58 UTC 
Created attachment 481360 [details]
infloop fix
Comment 2 Vincent Danen 2011-02-28 16:51:43 UTC 
I've assigned CVE-2011-1027 to this issue.
Comment 3 Vincent Danen 2011-02-28 16:54:39 UTC 
Please note that this is currently embargoed; Jim is trying to get in touch with upstream to alert them first.  Please do NOT commit anything public regarding this; we will wait to see what upstream wants to do here first.
Comment 4 Todd Zullinger 2011-03-01 01:08:17 UTC 
Thank to both of you.  I started working on this in the morning after the report came in, and was glad to see an update with a CVE.  Otherwise, I may have pushed an update.  I'll keep my eye out for what happens here.
Comment 5 Vincent Danen 2011-03-04 05:04:22 UTC 
Jim, have you heard back from upstream regarding this yet?
Comment 6 Jim Meyering 2011-03-04 05:22:18 UTC 
Still no reply.  I pinged him 8 hours ago, using his @gmail address, which is the only one I have.
Comment 7 Vincent Danen 2011-03-04 15:55:52 UTC 
Ok, thank you.  Let's wait at least the weekend to see if there is a response and we can see on Monday or Tuesday whether or not to post this to oss-security and make it public.
Comment 8 Jim Meyering 2011-03-05 14:08:08 UTC 
Upstream replied.  He plans to include the patch in a bugfix release to be published today.
Comment 9 Jim Meyering 2011-03-05 16:51:35 UTC 
The fix is now public, as part of today's v0.9 release:

http://hjemli.net/git/cgit/commit/?id=fc384b16fb9787380746000d3cea2d53fccc548e
Comment 10 Tomas Hoger 2011-03-07 08:01:21 UTC 
The fix was applied to upstream version v0.8.3.5 too, in addition to v0.9.  I see Todd already built 0.9 for all Fedora and EPEL branches.

Making this bug public.
Comment 11 Tomas Hoger 2011-03-07 08:21:24 UTC 
v0.8.3.5 announce message mentions security impact:
  http://thread.gmane.org/gmane.comp.version-control.git/168493
Comment 12 Vincent Danen 2011-03-24 20:13:23 UTC 
0.9 has been pushed to all Fedora and EPEL branches.