Bug 479715 (CVE-2008-5516, CVE-2008-5517) - git: gitweb multiple remote command injections (CVE-2008-5516 CVE-2008-5517)
Summary: git: gitweb multiple remote command injections (CVE-2008-5516 CVE-2008-5517)
Alias: CVE-2008-5516, CVE-2008-5517
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2009-01-12 16:48 UTC by Tomas Hoger
Modified: 2013-01-10 10:29 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-03-29 07:56:13 UTC

Attachments (Terms of Use)
SuSE patch (2.88 KB, patch)
2009-01-20 08:03 UTC, Tomas Hoger
no flags Details | Diff

Description Tomas Hoger 2009-01-12 16:48:12 UTC
Sebastian Krahmer of the SuSE security team discovered a remote command injection flaws in the gitweb, caused by an insufficient checking of the inputs used to build argument to perl's open() function.  Remote attacker could use these flaws to run arbitrary commands with the privileges of the web server executing gitweb CGI scripts.

Issues are already fixed upstream in the latest git branches.  It seems that the security consequences were not noticed when fixes were applied upstream, as multiple occurrences of the similar flaws were fixed in different upstream versions:

  (fixes issues in git_snapshot and git_object, first occurred in 1.5.6)

  (fixes issue in git_search, first occurred in 1.5.5)

All current Fedora packages use version 1.5.6+, so neither of the issue apply to them.  EPEL versions should be affected by one or both of the issues.

Comment 1 Todd Zullinger 2009-01-12 19:34:33 UTC
Looking at this, am I correct that EL-4 isn't vulnerable to either of these since it includes git-

For EL-5, git is at, which includes c582abae.  So, we just need to add 516381d5 to correct CVE-2008-5517.  Sound right?

Comment 2 Todd Zullinger 2009-01-13 06:50:30 UTC
(In reply to comment #1)
> Looking at this, am I correct that EL-4 isn't vulnerable to either of these
> since it includes git-

Sorry for being dense there.  I realized a bit later that indeed was vulnerable to both issues.  (I read the "first occurred in ..." part as when the vulnerability first occurred, not when the commit which fixes it occurred.)

Are there testcases available to verify the fixes?  The commits from git.git require a little massaging to apply to, so checking that the issues are fixed would be good.

Comment 3 Tomas Hoger 2009-01-13 07:46:17 UTC
Right, EPEL-4 should be affected by both, "first occurred in" was meant as "first fixed in".  I have not tried to find first affected version, it may go way back.

I do not have any ready to use test case, though based on comments in infrastructure ticket 1120, someone's been able to re-create one successfully.

As for EPEL-4 patch, it may be possible to address -5516 by using quote_command() (introduced in -5517 patch) on the open() argument.

Comment 4 Tomas Hoger 2009-01-13 12:47:54 UTC
Smaller fix for -5516 was used in warthog9's tree (should be used on kernel.org):


Comment 5 Todd Zullinger 2009-01-13 15:09:57 UTC
Thanks Tomas.  The patch that I had matched the upstream c582abae pretty well.  Here's the small difference:

 diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
-index 922dee9..ec73cb1 100755
+index 86a6ced..e011393 100755
 --- a/gitweb/gitweb.perl
 +++ b/gitweb/gitweb.perl
-@@ -5305,51 +5305,19 @@ sub git_search {
+@@ -5199,50 +5199,18 @@ sub git_search {
  		print "<table class=\"pickaxe search\">\n";
  		my $alternate = 1;
  		$/ = "\n";
 -		my $git_command = git_cmd_str();
 -		my $searchqtext = $searchtext;
 -		$searchqtext =~ s/'/'\\''/;
--		my $pickaxe_flags = $search_use_regexp ? '--pickaxe-regex' : '';
 -		open my $fd, "-|", "$git_command rev-list $hash | " .
--			"$git_command diff-tree -r --stdin -S\'$searchqtext\' $pickaxe_flags";
+-			"$git_command diff-tree -r --stdin -S\'$searchqtext\'";
 +		open my $fd, '-|', git_cmd(), '--no-pager', 'log', @diff_opts,
-+			'--pretty=format:%H', '--no-abbrev', '--raw', "-S$searchtext",
-+			($search_use_regexp ? '--pickaxe-regex' : ());
++			'--pretty=format:%H', '--no-abbrev', '--raw', "-S$searchtext";
  		undef %co;
  		my @files;
  		while (my $line = <$fd>) {

(also at http://tmz.fedorapeople.org/tmp/git- in case Bugzilla mangles it.  The full diff for updating git- on EL-4 is http://tmz.fedorapeople.org/tmp/git-  Unless that looks wildly wrong, I'll apply it today.)

This is much closer to the upstream patch, which hopefully will minimize the chance of introducing new bugs.

About testcases, I did get one for -5517 from Ricky yesterday.  It's just -5516 that I don't have.  If you run across one, let me know (gpg key 0xBEAF0CE3 if you want to send privately).

Comment 6 Todd Zullinger 2009-01-14 19:18:26 UTC
I just built git-¹ and sent a note to epel_signers asking to get it pushed.  git- is already in the stable EPEL updates.

¹ http://buildsys.fedoraproject.org/logs/fedora-4-epel/1197-git-

Comment 7 Tomas Hoger 2009-01-20 08:03:52 UTC
Created attachment 329438 [details]
SuSE patch

Extracted from git-, quote_command() was used in all three cases.

Note You need to log in before you can comment on or make changes to this bug.