Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 349045 (CVE-2010-3906)

Summary: <dev-vcs/git-{1.6.4.4-r1,1.7.2.4-r1,1.7.3.4}: gitweb cross-site scripting vulnerability (CVE-2010-3906)
Product: Gentoo Security Reporter: Grygoriy I. Fuchedzhy <grygoriy.fuchedzhy>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: ricmm, robbat2
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 349118, 350075    
Bug Blocks:    
Attachments:
Description Flags
=dev-vcs/git-1.7.3.4-r1 test failures on SPARC
none
=dev-vcs/git-1.7.3.4-r1 test failures on x86
none
build.log none

Description Grygoriy I. Fuchedzhy 2010-12-19 00:13:55 UTC
citation of http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3906

"Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters."


Reproducible: Always
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-12-19 03:02:31 UTC
Stablereq versions:
dev-vcs/git-1.6.4.5
dev-vcs/git-1.7.2.5
dev-vcs/git-1.7.3.4-r1

Target keywords:
alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86

HPPA has known test failures, tracked in bug 333339. All other arches should pass, be sure to test with FEATURES=userpriv.

The GLSA needs to have:
1.6: >=dev-vcs/git-1.6.4.4-r1
1.7.2: >=dev-vcs/git-1.7.2.4-r1
1.7.3: >=dev-vcs/git-1.7.3.4

Please notice that the stablereq is for slightly higher versions than the GLSA, as I added the fix in as soon as a public patch was available, and then there was a release with them shortly thereafter.
Comment 2 David Abbott gentoo-dev 2010-12-19 09:18:10 UTC
Tested on x86, all good here.
Comment 3 Alex Buell 2010-12-19 10:57:18 UTC
Tested on SPARC the following:

=dev-vcs/git-1.6.4.5, passed all 87 tests
=dev-vcs/git-1.7.2.5, passed all 90 tests
=dev-vcs/git-1.7.3.4-r1, failed two known breakages and passed 38 tests but as it failed two tests, was not installed, build.log to follow..
Comment 4 Alex Buell 2010-12-19 10:58:23 UTC
Created attachment 257532 [details]
=dev-vcs/git-1.7.3.4-r1 test failures on SPARC
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-12-19 12:42:00 UTC
Created attachment 257538 [details]
=dev-vcs/git-1.7.3.4-r1 test failures on x86

Portage 2.1.9.24 (default/linux/x86/10.0/developer, gcc-4.4.4, glibc-2.11.2-r3, 2.6.35-gentoo-r4 i686)
=================================================================
System uname: Linux-2.6.35-gentoo-r4-i686-Intel-R-_Core-TM-2_Duo_CPU_P8700_@_2.53GHz-with-gentoo-1.12.14
Timestamp of tree: Sun, 19 Dec 2010 09:25:01 +0000
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11-r1
dev-lang/python:     2.6.6-r1, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.14-r1
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA spin-educational AdobeFlash-10.1"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe -ggdb3"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/lib/hsqldb /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=i686 -pipe -ggdb3"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs collision-protect distlocks fixlafiles fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms splitdebug strict test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa berkdb bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emacs emboss encode exif fam firefox flac fortran gdbm gdu gif gnutls gtk hal iconv jpeg lcms libnotify mad mbox mikmod mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nptlonly nss ogg opengl openmp pam pango pcre pdf perl png policykit ppds pppd python qt3support readline sdl secure-delete session snmp spell sqlite ssl startup-notification subversion svg sysfs tcb tcpd tiff toolkit-scroll-bars truetype unicode usb vorbis x264 x86 xcb xft xinerama xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ens1371" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard vmmouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vmware vesa vga" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-12-19 12:44:27 UTC
(In reply to comment #1)
> Stablereq versions:
> dev-vcs/git-1.6.4.5

^- x86 stable

> dev-vcs/git-1.7.2.5

^- x86 stable

> dev-vcs/git-1.7.3.4-r1

^- fails tests on x86, attached build log, not stable

By the way, do we need to stabilize it? The previous latest stable version on x86 was 1.7.2.2, so 1.7.2.5 should be enough.
Comment 7 Agostino Sarubbo gentoo-dev 2010-12-19 20:25:05 UTC
amd64 ok:

I confirm that 1.7.3.4-r1 fails test.
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-12-20 04:03:20 UTC
This is my output on amd64, with FEATURES='userpriv test'. I have _ZERO_ failures. Also, please note the correct number of total tests.

With FEATURES=userpriv:
===
...
# passed all 15 test(s)
1..15
make aggregate-results
make[3]: Entering directory `/dev/shm/portage/dev-vcs/git-1.7.3.4-r1/work/git-1.7.3.4/t'
for f in test-results/t*-*.counts; do \
	echo "$f"; \
done | '/bin/sh' ./aggregate-results.sh
fixed   0
success 6233
failed  0
broken  32
total   6348
make[3]: Leaving directory `/dev/shm/portage/dev-vcs/git-1.7.3.4-r1/work/git-1.7.3.4/t'
===

With FEATURES=-userpriv (so all tests that are effected by it are disabled):
===
...
# passed all remaining 49 test(s)
1..50
make aggregate-results
make[3]: Entering directory `/dev/shm/portage/dev-vcs/git-1.7.3.4-r1/work/git-1.7.3.4/t'
for f in test-results/t*-*.counts; do \
	echo "$f"; \
done | '/bin/sh' ./aggregate-results.sh
fixed   0
success 6080
failed  0
broken  24
total   6188
make[3]: Leaving directory `/dev/shm/portage/dev-vcs/git-1.7.3.4-r1/work/git-1.7.3.4/t'
====

Agostino Sarubbo:
please attach your build.log, and can you make sure that you used FEATURES=userpriv?
Comment 9 Tobias Klausmann gentoo-dev 2010-12-20 12:01:50 UTC
Stable on alpha:
=dev-vcs/git-1.6.4.5
=dev-vcs/git-1.7.2.5
=dev-vcs/git-1.7.3.4-r1
Comment 10 Christian Ruppert (idl0r) gentoo-dev 2010-12-21 17:03:17 UTC
Created attachment 257697 [details]
build.log

merge --info
Portage 2.1.9.25 (hardened/linux/amd64, gcc-4.4.4-asneeded, glibc-2.11.2-r3, 2.6.36-hardened-r2 x86_64)
=================================================================
System uname: Linux-2.6.36-hardened-r2-x86_64-Intel-R-_Core-TM-_i7_CPU_920_@_2.67GHz-with-gentoo-2.0.1
Timestamp of tree: Tue, 21 Dec 2010 16:30:01 +0000
app-shells/bash:     4.1_p7
dev-lang/python:     2.6.6-r1, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1-r1
sys-apps/openrc:     0.6.8
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.65-r1
sys-devel/automake:  1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/openvpn/easy-rsa /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps y --columns"
FEATURES="assume-digests binpkg-logs collision-protect distlocks fail-clean fakeroot fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict suidctl unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
GENTOO_MIRRORS="http://gentoo.mneisen.org/ http://mirror.jamit.de/gentoo/ http://mirror.netcologne.de/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-z,now -Wl,--sort-common"
MAKEOPTS="-j8"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude lost+found"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://vireo.gentoo.org/gentoo-portage"
USE="X509 acl amd64 animgif audit automap bash-completion bcmath berkdb blksha1 bzip2 caps cgi checkpath chroot clamdtop cleartype cli community corefonts cracklib crypt cscope ctype ctypes-python curl curlwrappers cxx diskio dkim dnsdb dsn eselect exceptions exif exiscan-acl expat extensions extras filter fontconfig ftp fts3 gcrypt gd gdbm geoip gif glib gmp gnutls gpg hardened hash hpn iconv icu idn imap iproute2 ipv6 ithreads jabber jpeg json justify kpoll libssh2 lzma lzo maildir managesieve mhash mktemp mmx mode-paranoid modules multilib mysql mysqli nagios-dns nagios-ntp nagios-ping nagios-ssh ncurses net nethack network-cron nptl nptlonly openmp opensslcrypt pam pcntl pcre pdo perl pic plugins png posix pth python readline reflection reload reload-error-restart rrdcgi sasl secure-delete sensord session sha512 sidebar sieve simplexml smime smp snmp soap sockets spf spl sqlite sqlite3 sse sse2 ssl ssse3 suexec svg swig syslog sysvipc threads threadsafe tokenizer tools truetype unicode unlock-notify urandom vim-syntax web webdav-neon xattr xinetd xml xmlreader xmlrpc xmlwriter xsl zip zlib zsh-completion" APACHE2_MODULES="asis actions alias auth_basic auth_digest authn_dbd authn_default authn_file authz_default authz_groupfile authz_host authz_owner authz_user autoindex cgid dbd deflate dir env expires filter headers include info log_config mime mime_magic negotiation rewrite setenvif so status unique_id userdir usertrack vhost_alias substitute" APACHE2_MPMS="worker" ELIBC="glibc" KERNEL="linux" NGINX_MODULES_HTTP="access auth_basic autoindex empty_gif fastcgi map rewrite stub_status perl" RUBY_TARGETS="ruby18" USERLAND="GNU" 
Unset:  CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2010-12-23 22:47:36 UTC
Bug #349083 shouldn't block because with FEATURES="-sandbox" tests shouldn't fail (at least for HPPA PPC).

Stable for HPPA PPC.
Comment 12 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-12-26 22:43:17 UTC
Everybody that had a problem with 1.7.3.4-r1:
The problem was a false positive triggered when the shell of the user running the testsuite was /bin/false. The return status of $SHELL was checked, and the contents of $SHELL -c 'FOO' were never running.

I've fixed it in the entire 1.7.3 series now, and will send the patch to upstream shortly.
Comment 13 Brent Baude (RETIRED) gentoo-dev 2010-12-27 14:53:18 UTC
ppc64 done
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2010-12-31 12:24:21 UTC
x86 stable
Comment 15 Markos Chandras (RETIRED) gentoo-dev 2010-12-31 15:19:53 UTC
amd64 done
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2011-01-01 15:39:33 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2011-01-01 15:50:44 UTC
Thanks, folks. Closing noglsa for XSS.
Comment 18 Grygoriy I. Fuchedzhy 2011-01-07 12:47:35 UTC
(In reply to comment #15)
> amd64 done
> 

I can see only 1.6.4.4 and 1.7.2.2 stable for amd64 both of which are vulnerable.
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2011-01-07 14:47:52 UTC
(In reply to comment #18)
> (In reply to comment #15)
> > amd64 done
> > 
> 
> I can see only 1.6.4.4 and 1.7.2.2 stable for amd64 both of which are
> vulnerable.
> 

Good catch; thank you.

@amd64, ping?
Comment 20 Markos Chandras (RETIRED) gentoo-dev 2011-01-07 15:09:54 UTC
somehow I forgot(?) to commit the stable ebuilds. Done now. Sorry for the noise
Comment 21 Tim Sammut (RETIRED) gentoo-dev 2011-01-07 16:47:12 UTC
(In reply to comment #20)
> somehow I forgot(?) to commit the stable ebuilds. Done now. Sorry for the noise
> 

Not a problem; thank you.