Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 251343 - dev-util/git < gitweb privilege escalation (CVE-2008-{5516,5517,5916})
Summary: dev-util/git < gitweb privilege escalation (CVE-2008-{5516,5517,5916})
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
: 252208 CVE-2008-5517 (view as bug list)
Depends on:
Reported: 2008-12-17 18:47 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-09 13:57 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

gitweb hotfix for 1.5.[456].X (0001-gitweb-do-not-run-git-diff-that-is-Porcelain.txt,2.26 KB, patch)
2008-12-17 18:48 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
gitweb hotfix for 1.6.0.X (0002.txt,1.59 KB, patch)
2008-12-17 18:48 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
amg64 build.log (with failing tests) (git-,79.74 KB, text/plain)
2008-12-23 14:32 UTC, Sven Gebhardt
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 18:47:42 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Junio C Hamano wrote:
Current gitweb has a possible local privilege escalation bug that allows a
malicious repository owner to run a command of his choice by specifying
diff.external configuration variable in his repository and running a
crafted gitweb query.

Recent (post 1.4.3) gitweb itself never generates a link that would result
in such a query, and the safest and cleanest fix to this issue is to
simply drop the support for it.  This message contains two patches
(credits go to Matt McCutchen, Jeff King and Jakub Narebski) just to do

 (1) for Git 1.5.4.X, 1.5.5.X, and 1.5.6.X, and

 (2) for Git 1.6.0.X.

I'll be cutting real maintenance release with these patches and tagging
them as,, and shortly (by the end of the
week at the latest); I am sending these patches to distro packagers so
that they can use them to hotfix their released versions that might be
older than the ones listed above.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 18:48:33 UTC
Created attachment 175628 [details, diff]
gitweb hotfix for 1.5.[456].X
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 18:48:55 UTC
Created attachment 175629 [details, diff]
gitweb hotfix for 1.6.0.X
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 18:51:07 UTC
We can either prestable an ebuild with the patch applied on this bug or bump the maintenance release once it's out. Robin, what do you prefer?
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-23 10:26:24 UTC
public now.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-23 10:26:56 UTC
*** Bug 252208 has been marked as a duplicate of this bug. ***
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-12-23 10:41:13 UTC is in the tree now. If it's got the actual fix, we should stabilize it.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-23 11:55:18 UTC
Yup, it has the fix.

Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2008-12-23 14:28:17 UTC
Sparc stable.  Built with FEATURES='test userpriv' and all tests which are supposed to pass do pass.
Comment 9 Sven Gebhardt 2008-12-23 14:32:43 UTC
Created attachment 176214 [details]
amg64 build.log (with failing tests)

This does not build on amd64 with tests enabled. (Without tests, it emerges fine and seems to work correctly.)

emerge --info:
Portage (default/linux/amd64/2008.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r8 x86_64)
System uname: 2.6.23-gentoo-r8 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 5600+
Timestamp of tree: Tue, 23 Dec 2008 12:00:01 +0000
app-shells/bash:    3.2_p33
dev-java/java-config: 1.3.7-r1, 2.1.6-r1
dev-lang/python:    2.4.4-r13, 2.5.2-r7
dev-python/pycrypto: 2.0.1-r6
sys-devel/autoconf:  2.61-r2
sys-devel/automake:  1.9.6-r2, 1.10.1-r1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:  1.5.26
virtual/os-headers:  2.6.23-r3
CFLAGS="-O2 -pipe"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test unmerge-orphans userfetch"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="acl amd64 berkdb bzip2 cli cracklib crypt cups dri fortran gdbm gpm iconv ipv6 isdnlog midi mmx mudflap multilib ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session spl sse sse2 ssl sysfs tcpd unicode xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Comment 10 Markus Meier gentoo-dev 2008-12-23 17:09:36 UTC
amd64/x86 stable
Comment 11 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-12-23 19:20:53 UTC I can't reproduce your failure here.
Can you please:
1. show me: "emerge -pv dev-util/git"
2. run that testcase manually and attach the detailed output.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2008-12-23 19:32:20 UTC
alpha/arm/ia64 stable

and btw, tests need to be run with FEATURES="userpriv"
Comment 13 Sven Gebhardt 2008-12-23 23:19:51 UTC
yeah, tests pass with FEATURES=userpriv and builds correctly on amd64. My bad. Merry christmas anyway!
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-25 21:28:11 UTC
Stable for HPPA.
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-29 18:30:57 UTC
ppc stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2009-01-01 10:33:18 UTC
s390/sh stable
Comment 17 Brent Baude (RETIRED) gentoo-dev 2009-01-08 20:23:45 UTC
ppc64 done
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 18:26:28 UTC
glsa request filed.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 18:30:38 UTC
CVE-2008-5517 (
  The web interface in git in SUSE openSUSE 10.3 allows remote
  attackers to execute arbitrary commands via shell metacharacters in
  an unspecified context.

CVE-2008-5516 (
  The web interface in git (gitweb) 1.5.6, and possibly other versions,
  allows remote attackers to execute arbitrary commands via shell
  metacharacters related to git_search.  NOTE: because of the lack of
  details, it is not clear whether CVE-2008-5516 and CVE-2008-5517 are
  distinct issues on the rPath Linux 2 platform.

CVE-2008-5916 (
  gitweb/gitweb.perl in gitweb in Git 1.6.x before, 1.5.6.x
  before, 1.5.5.x before, 1.5.4.x before, and
  other versions after 1.4.3 allows local repository owners to execute
  arbitrary commands by modifying the diff.external configuration
  variable and executing a crafted gitweb query.
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 18:30:50 UTC
*** Bug 255567 has been marked as a duplicate of this bug. ***
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2009-03-09 13:57:13 UTC
GLSA 200903-15