Bug 967346 (CVE-2013-2117) - CVE-2013-2117 cgit: directory traversal
Summary: CVE-2013-2117 cgit: directory traversal
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2013-2117
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard:
Depends On: 967661 967662
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-26 18:49 UTC by Agostino Sarubbo
Modified: 2019-09-29 13:05 UTC (History)
4 users (show)

Fixed In Version: cgit 0.9.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 11:00:40 UTC
Embargoed:

Attachments (Terms of Use)

Description Agostino Sarubbo 2013-05-26 18:49:53 UTC 
From oss-security mailing list:

As mentioned in early messages to oss-sec, I've inherited
maintainership of the cgit codebase and am gradually auditing it.
Today I found a nasty directory traversal:

http://somehost/?url=/somerepo/about/../../../../etc/passwd

This should be pretty straightforward to categorize.

Exploitation looks like:
http://data.zx2c4.com/cgit-directory-traversal.png

I've committed a fix for it here:
http://git.zx2c4.com/cgit/commit/?h=wip&id=babf94e04e74123eb658a823213c062663cdadd6

And this fix will be in the master branch and a new release will be made soon.

Cgit by default is not vulnerable to this, and the vulnerability only
exists when a user has configured cgit to use a readme file from a
filesystem filepath instead of from the git repo itself. Until a
release is made, administrators are urged to disable reading the
readme file from a filepath, if currently enabled.
Comment 1 Vincent Danen 2013-05-27 20:00:16 UTC 
This was assigned CVE-2013-2117 as per:

http://seclists.org/oss-sec/2013/q2/414
Comment 2 Vincent Danen 2013-05-27 21:47:17 UTC 
This is fixed in upstream 0.9.2 release:

http://lists.zx2c4.com/pipermail/cgit/2013-May/001394.html
Comment 3 Vincent Danen 2013-05-27 21:48:19 UTC 
Created cgit tracking bugs for this issue

Affects: fedora-all [bug 967661]
Affects: epel-all [bug 967662]
Comment 4 Fedora Update System 2013-06-05 03:16:21 UTC 
cgit-0.9.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-06-06 01:30:09 UTC 
cgit-0.9.2-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-06-06 01:37:20 UTC 
cgit-0.9.2-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-06-12 20:08:39 UTC 
cgit-0.9.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-06-12 20:10:06 UTC 
cgit-0.9.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Product Security DevOps Team 2019-06-10 11:00:40 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Note You need to log in before you can comment on or make changes to this bug.