Sebastian Krahmer of the SuSE security team discovered a remote command injection flaws in the gitweb, caused by an insufficient checking of the inputs used to build argument to perl's open() function. Remote attacker could use these flaws to run arbitrary commands with the privileges of the web server executing gitweb CGI scripts. Issues are already fixed upstream in the latest git branches. It seems that the security consequences were not noticed when fixes were applied upstream, as multiple occurrences of the similar flaws were fixed in different upstream versions: CVE-2008-5517 http://repo.or.cz/w/git.git?a=commitdiff;h=516381d5 (fixes issues in git_snapshot and git_object, first occurred in 1.5.6) CVE-2008-5516 http://repo.or.cz/w/git.git?a=commitdiff;h=c582abae (fixes issue in git_search, first occurred in 1.5.5) All current Fedora packages use version 1.5.6+, so neither of the issue apply to them. EPEL versions should be affected by one or both of the issues.
Looking at this, am I correct that EL-4 isn't vulnerable to either of these since it includes git-1.5.4.7? For EL-5, git is at 1.5.5.6, which includes c582abae. So, we just need to add 516381d5 to correct CVE-2008-5517. Sound right?
(In reply to comment #1) > Looking at this, am I correct that EL-4 isn't vulnerable to either of these > since it includes git-1.5.4.7? Sorry for being dense there. I realized a bit later that 1.5.4.7 indeed was vulnerable to both issues. (I read the "first occurred in ..." part as when the vulnerability first occurred, not when the commit which fixes it occurred.) Are there testcases available to verify the fixes? The commits from git.git require a little massaging to apply to 1.5.4.7, so checking that the issues are fixed would be good.
Right, EPEL-4 should be affected by both, "first occurred in" was meant as "first fixed in". I have not tried to find first affected version, it may go way back. I do not have any ready to use test case, though based on comments in infrastructure ticket 1120, someone's been able to re-create one successfully. As for EPEL-4 patch, it may be possible to address -5516 by using quote_command() (introduced in -5517 patch) on the open() argument.
Smaller fix for -5516 was used in warthog9's tree (should be used on kernel.org): http://git.kernel.org/?p=git/warthog9/gitweb.git;a=commitdiff;h=bf17b83a
Thanks Tomas. The patch that I had matched the upstream c582abae pretty well. Here's the small difference: diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl -index 922dee9..ec73cb1 100755 +index 86a6ced..e011393 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl -@@ -5305,51 +5305,19 @@ sub git_search { +@@ -5199,50 +5199,18 @@ sub git_search { print "<table class=\"pickaxe search\">\n"; my $alternate = 1; $/ = "\n"; - my $git_command = git_cmd_str(); - my $searchqtext = $searchtext; - $searchqtext =~ s/'/'\\''/; -- my $pickaxe_flags = $search_use_regexp ? '--pickaxe-regex' : ''; - open my $fd, "-|", "$git_command rev-list $hash | " . -- "$git_command diff-tree -r --stdin -S\'$searchqtext\' $pickaxe_flags"; +- "$git_command diff-tree -r --stdin -S\'$searchqtext\'"; + open my $fd, '-|', git_cmd(), '--no-pager', 'log', @diff_opts, -+ '--pretty=format:%H', '--no-abbrev', '--raw', "-S$searchtext", -+ ($search_use_regexp ? '--pickaxe-regex' : ()); ++ '--pretty=format:%H', '--no-abbrev', '--raw', "-S$searchtext"; undef %co; my @files; while (my $line = <$fd>) { (also at http://tmz.fedorapeople.org/tmp/git-1.5.4.7-CVE-2008-5516-interdiff.diff in case Bugzilla mangles it. The full diff for updating git-1.5.4.7 on EL-4 is http://tmz.fedorapeople.org/tmp/git-1.5.4.7-2.diff. Unless that looks wildly wrong, I'll apply it today.) This is much closer to the upstream patch, which hopefully will minimize the chance of introducing new bugs. About testcases, I did get one for -5517 from Ricky yesterday. It's just -5516 that I don't have. If you run across one, let me know (gpg key 0xBEAF0CE3 if you want to send privately).
I just built git-1.5.4.7-2.el4¹ and sent a note to epel_signers asking to get it pushed. git-1.5.5.6-2.el5 is already in the stable EPEL updates. ¹ http://buildsys.fedoraproject.org/logs/fedora-4-epel/1197-git-1.5.4.7-2.el4/
Created attachment 329438 [details] SuSE patch Extracted from git-1.5.2.4-24.4.src.rpm, quote_command() was used in all three cases.