Bug 967346 - (CVE-2013-2117) CVE-2013-2117 cgit: directory traversal
CVE-2013-2117 cgit: directory traversal
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://www.openwall.com/lists/oss-sec...
impact=low,public=20130525,reported=2...
: Security
Depends On: 967661 967662
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-26 14:49 EDT by Agostino Sarubbo
Modified: 2015-07-31 03:06 EDT (History)
4 users (show)

See Also:
Fixed In Version: cgit 0.9.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Agostino Sarubbo 2013-05-26 14:49:53 EDT
From oss-security mailing list:

As mentioned in early messages to oss-sec, I've inherited
maintainership of the cgit codebase and am gradually auditing it.
Today I found a nasty directory traversal:

http://somehost/?url=/somerepo/about/../../../../etc/passwd

This should be pretty straightforward to categorize.

Exploitation looks like:
http://data.zx2c4.com/cgit-directory-traversal.png

I've committed a fix for it here:
http://git.zx2c4.com/cgit/commit/?h=wip&id=babf94e04e74123eb658a823213c062663cdadd6

And this fix will be in the master branch and a new release will be made soon.

Cgit by default is not vulnerable to this, and the vulnerability only
exists when a user has configured cgit to use a readme file from a
filesystem filepath instead of from the git repo itself. Until a
release is made, administrators are urged to disable reading the
readme file from a filepath, if currently enabled.
Comment 1 Vincent Danen 2013-05-27 16:00:16 EDT
This was assigned CVE-2013-2117 as per:

http://seclists.org/oss-sec/2013/q2/414
Comment 2 Vincent Danen 2013-05-27 17:47:17 EDT
This is fixed in upstream 0.9.2 release:

http://lists.zx2c4.com/pipermail/cgit/2013-May/001394.html
Comment 3 Vincent Danen 2013-05-27 17:48:19 EDT
Created cgit tracking bugs for this issue

Affects: fedora-all [bug 967661]
Affects: epel-all [bug 967662]
Comment 4 Fedora Update System 2013-06-04 23:16:21 EDT
cgit-0.9.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-06-05 21:30:09 EDT
cgit-0.9.2-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-06-05 21:37:20 EDT
cgit-0.9.2-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-06-12 16:08:39 EDT
cgit-0.9.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-06-12 16:10:06 EDT
cgit-0.9.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.