gitweb local privilege escalation

2009.01.22
Risk: Low
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

--=-=-= Current gitweb has a possible local privilege escalation bug that allows a malicious repository owner to run a command of his choice by specifying diff.external configuration variable in his repository and running a crafted gitweb query. Recent (post 1.4.3) gitweb itself never generates a link that would result in such a query, and the safest and cleanest fix to this issue is to simply drop the support for it. Maintenance release v1.6.0.6, v1.5.6.6, v1.5.5.6 and v1.5.4.7 are already available at k.org (see the announcement for v1.6.0.6 I sent out a few minutes ago), and the master branch and others pushed out tonight have the same fix. This message contains two patches (credits go to Matt McCutchen, Jeff King and Jakub Narebski) to do the fix yourself: (1) for Git 1.5.4.X, 1.5.5.X, and 1.5.6.X, and (2) for Git 1.6.0.X. Distro packagers and people on the vendor security list have been notified about this fix earlier this week; people running gitweb from vendor supplied binaries should be able to get updates from them as well. --=-=-= Content-Disposition: attachment; filename=0001-hotfix-1.5.456.X.txt Content-Description: gitweb hotfix for 1.5.[456].X series >From dfff4b7aa42de7e7d58caeebe2c6128449f09b76 Mon Sep 17 00:00:00 2001 From: Junio C Hamano <gitster@pobox.com> Date: Tue, 16 Dec 2008 19:42:02 -0800 Subject: [PATCH] gitweb: do not run "git diff" that is Porcelain Jakub says that legacy-style URI to view two blob differences are never generated since 1.4.3. This codepath runs "git diff" Porcelain from the gitweb, which is a no-no. It can trigger diff.external command that is specified in the configuration file of the repository being viewed. This patch applies to v1.5.4 and later. Signed-off-by: Junio C Hamano <gitster@pobox.com> --- gitweb/gitweb.perl | 38 ++------------------------------------ 1 files changed, 2 insertions(+), 36 deletions(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index b582332..86a6ced 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -4809,43 +4809,9 @@ sub git_blobdiff { or die_error(undef, "Open git-diff-tree failed"); } - # old/legacy style URI - if (!%diffinfo && # if new style URI failed - defined $hash && defined $hash_parent) { - # fake git-diff-tree raw output - $diffinfo{'from_mode'} = $diffinfo{'to_mode'} = "blob"; - $diffinfo{'from_id'} = $hash_parent; - $diffinfo{'to_id'} = $hash; - if (defined $file_name) { - if (defined $file_parent) { - $diffinfo{'status'} = '2'; - $diffinfo{'from_file'} = $file_parent; - $diffinfo{'to_file'} = $file_name; - } else { # assume not renamed - $diffinfo{'status'} = '1'; - $diffinfo{'from_file'} = $file_name; - $diffinfo{'to_file'} = $file_name; - } - } else { # no filename given - $diffinfo{'status'} = '2'; - $diffinfo{'from_file'} = $hash_parent; - $diffinfo{'to_file'} = $hash; - } - - # non-textual hash id's can be cached - if ($hash =~ m/^[0-9a-fA-F]{40}$/ && - $hash_parent =~ m/^[0-9a-fA-F]{40}$/) { - $expires = '+1d'; - } - - # open patch output - open $fd, "-|", git_cmd(), "diff", @diff_opts, - '-p', ($format eq 'html' ? "--full-index" : ()), - $hash_parent, $hash, "--" - or die_error(undef, "Open git-diff failed"); - } else { + # old/legacy style URI -- not generated anymore since 1.4.3. + if (!%diffinfo) { die_error('404 Not Found', "Missing one of the blob diff parameters") - unless %diffinfo; } # header -- 1.6.1.rc3.19.g66a9 --=-=-= Content-Disposition: attachment; filename=0002-gitweb-hotfix-1.6.0.X.txt Content-Description: gitweb hotfix for 1.6.0.X series diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index ced7bb7..804670c 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -4863,43 +4863,9 @@ sub git_blobdiff { or die_error(500, "Open git-diff-tree failed"); } - # old/legacy style URI - if (!%diffinfo && # if new style URI failed - defined $hash && defined $hash_parent) { - # fake git-diff-tree raw output - $diffinfo{'from_mode'} = $diffinfo{'to_mode'} = "blob"; - $diffinfo{'from_id'} = $hash_parent; - $diffinfo{'to_id'} = $hash; - if (defined $file_name) { - if (defined $file_parent) { - $diffinfo{'status'} = '2'; - $diffinfo{'from_file'} = $file_parent; - $diffinfo{'to_file'} = $file_name; - } else { # assume not renamed - $diffinfo{'status'} = '1'; - $diffinfo{'from_file'} = $file_name; - $diffinfo{'to_file'} = $file_name; - } - } else { # no filename given - $diffinfo{'status'} = '2'; - $diffinfo{'from_file'} = $hash_parent; - $diffinfo{'to_file'} = $hash; - } - - # non-textual hash id's can be cached - if ($hash =~ m/^[0-9a-fA-F]{40}$/ && - $hash_parent =~ m/^[0-9a-fA-F]{40}$/) { - $expires = '+1d'; - } - - # open patch output - open $fd, "-|", git_cmd(), "diff", @diff_opts, - '-p', ($format eq 'html' ? "--full-index" : ()), - $hash_parent, $hash, "--" - or die_error(500, "Open git-diff failed"); - } else { - die_error(400, "Missing one of the blob diff parameters") - unless %diffinfo; + # old/legacy style URI -- not generated anymore since 1.4.3. + if (!%diffinfo) { + die_error('404 Not Found', "Missing one of the blob diff parameters") } # header --=-=-=-- -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

References:

http://www.openwall.com/lists/oss-security/2009/01/20/2
http://www.openwall.com/lists/oss-security/2009/01/15/2
http://marc.info/?l=linux-kernel&amp;m=122975564100863&amp;w=2
:
http://marc.info/?l=git&amp;m=122975564100860&amp;w=2


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top