Bug 680905 (CVE-2011-1027) - CVE-2011-1027 cgit: invalid hex escape (e.g., %GG) in query triggers infinite loop
Summary: CVE-2011-1027 cgit: invalid hex escape (e.g., %GG) in query triggers infinite...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1027
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-28 12:35 UTC by Jim Meyering
Modified: 2019-09-29 12:43 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-24 20:13:23 UTC


Attachments (Terms of Use)
infloop fix (1017 bytes, patch)
2011-02-28 12:35 UTC, Jim Meyering
no flags Details | Diff

Description Jim Meyering 2011-02-28 12:35:00 UTC
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15pre) Gecko/20110227 Namoroka/3.6.15pre

any cgit URL containing a hex escape like %GG, where GG is not a pair of hexadecimal digits, causes cgit.cgi to go into an infinite loop.
Affects v0.8.3.4, upstream latest-from-git, as well as versions in Fedora.

Reproducible: Always

Steps to Reproduce:
1. find a cgit server and give it a request like http://git.gnome.org/browse/gdlmm/commit/?id=%gg
Actual Results:  
infloop on server, client hangs indefinitely

Expected Results:  
no server infloop, client returns error immediately

patch below

Comment 1 Jim Meyering 2011-02-28 12:35:58 UTC
Created attachment 481360 [details]
infloop fix

Comment 2 Vincent Danen 2011-02-28 16:51:43 UTC
I've assigned CVE-2011-1027 to this issue.

Comment 3 Vincent Danen 2011-02-28 16:54:39 UTC
Please note that this is currently embargoed; Jim is trying to get in touch with upstream to alert them first.  Please do NOT commit anything public regarding this; we will wait to see what upstream wants to do here first.

Comment 4 Todd Zullinger 2011-03-01 01:08:17 UTC
Thank to both of you.  I started working on this in the morning after the report came in, and was glad to see an update with a CVE.  Otherwise, I may have pushed an update.  I'll keep my eye out for what happens here.

Comment 5 Vincent Danen 2011-03-04 05:04:22 UTC
Jim, have you heard back from upstream regarding this yet?

Comment 6 Jim Meyering 2011-03-04 05:22:18 UTC
Still no reply.  I pinged him 8 hours ago, using his @gmail address, which is the only one I have.

Comment 7 Vincent Danen 2011-03-04 15:55:52 UTC
Ok, thank you.  Let's wait at least the weekend to see if there is a response and we can see on Monday or Tuesday whether or not to post this to oss-security and make it public.

Comment 8 Jim Meyering 2011-03-05 14:08:08 UTC
Upstream replied.  He plans to include the patch in a bugfix release to be published today.

Comment 9 Jim Meyering 2011-03-05 16:51:35 UTC
The fix is now public, as part of today's v0.9 release:

http://hjemli.net/git/cgit/commit/?id=fc384b16fb9787380746000d3cea2d53fccc548e

Comment 10 Tomas Hoger 2011-03-07 08:01:21 UTC
The fix was applied to upstream version v0.8.3.5 too, in addition to v0.9.  I see Todd already built 0.9 for all Fedora and EPEL branches.

Making this bug public.

Comment 11 Tomas Hoger 2011-03-07 08:21:24 UTC
v0.8.3.5 announce message mentions security impact:
  http://thread.gmane.org/gmane.comp.version-control.git/168493

Comment 12 Vincent Danen 2011-03-24 20:13:23 UTC
0.9 has been pushed to all Fedora and EPEL branches.


Note You need to log in before you can comment on or make changes to this bug.