Bug 695568 (CVE-2011-1572)

Summary: CVE-2011-1572 gitolite: arbitrary command execution flaw with optional admin-defined command feature
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: lkundrak, opensource
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-12 07:24:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 695569, 695570    
Bug Blocks:    

Description Vincent Danen 2011-04-12 02:54:52 UTC 
A flaw was found in the gitolite ADC (Admin Defined Commands) system [1].  If the ADC feature were enabled, a remote user could connect to gitolite and execute arbitrary commands by specifying a command such as "../../../../usr/bin/foo" because gitolite did not filter command names.  This has been corrected upstream [2] in version 1.5.9.1 and gitolite will now refuse to execute any commands with ".." in the supplied command name.

Note that ADC is only enabled when GL_ADC_PATH is set in the rc file (it is not enabled or set by default) and both the documentation and example rc file note that there are security risks involved with using ADC.

[1] http://groups.google.com/group/gitolite/browse_thread/thread/797a93ec26e1dcbc?pli=1
[2] https://github.com/sitaramc/gitolite/commit/4ce00aef84d1ff7c35f7adbbb99a6241cfda00cc
Comment 1 Vincent Danen 2011-04-12 02:55:44 UTC 
Created gitolite tracking bugs for this issue

Affects: fedora-all [bug 695569]
Affects: epel-6 [bug 695570]
Comment 2 Lubomir Rintel 2011-04-12 07:24:34 UTC 
This was fixed long ago in:

gitolite-1.5.3-2.fc14
gitolite-1.5.7-2.1.el6