citation of http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3906 "Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters." Reproducible: Always
Stablereq versions: dev-vcs/git-1.6.4.5 dev-vcs/git-1.7.2.5 dev-vcs/git-1.7.3.4-r1 Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 HPPA has known test failures, tracked in bug 333339. All other arches should pass, be sure to test with FEATURES=userpriv. The GLSA needs to have: 1.6: >=dev-vcs/git-1.6.4.4-r1 1.7.2: >=dev-vcs/git-1.7.2.4-r1 1.7.3: >=dev-vcs/git-1.7.3.4 Please notice that the stablereq is for slightly higher versions than the GLSA, as I added the fix in as soon as a public patch was available, and then there was a release with them shortly thereafter.
Tested on x86, all good here.
Tested on SPARC the following: =dev-vcs/git-1.6.4.5, passed all 87 tests =dev-vcs/git-1.7.2.5, passed all 90 tests =dev-vcs/git-1.7.3.4-r1, failed two known breakages and passed 38 tests but as it failed two tests, was not installed, build.log to follow..
Created attachment 257532 [details] =dev-vcs/git-1.7.3.4-r1 test failures on SPARC
Created attachment 257538 [details] =dev-vcs/git-1.7.3.4-r1 test failures on x86 Portage 2.1.9.24 (default/linux/x86/10.0/developer, gcc-4.4.4, glibc-2.11.2-r3, 2.6.35-gentoo-r4 i686) ================================================================= System uname: Linux-2.6.35-gentoo-r4-i686-Intel-R-_Core-TM-2_Duo_CPU_P8700_@_2.53GHz-with-gentoo-1.12.14 Timestamp of tree: Sun, 19 Dec 2010 09:25:01 +0000 app-shells/bash: 4.1_p7 dev-java/java-config: 2.1.11-r1 dev-lang/python: 2.6.6-r1, 3.1.2-r4 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.14-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.65-r1 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.4-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA spin-educational AdobeFlash-10.1" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe -ggdb3" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/lib/hsqldb /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=i686 -pipe -ggdb3" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs collision-protect distlocks fixlafiles fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms splitdebug strict test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org" LDFLAGS="-Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa berkdb bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emacs emboss encode exif fam firefox flac fortran gdbm gdu gif gnutls gtk hal iconv jpeg lcms libnotify mad mbox mikmod mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nptlonly nss ogg opengl openmp pam pango pcre pdf perl png policykit ppds pppd python qt3support readline sdl secure-delete session snmp spell sqlite ssl startup-notification subversion svg sysfs tcb tcpd tiff toolkit-scroll-bars truetype unicode usb vorbis x264 x86 xcb xft xinerama xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ens1371" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard vmmouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vmware vesa vga" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #1) > Stablereq versions: > dev-vcs/git-1.6.4.5 ^- x86 stable > dev-vcs/git-1.7.2.5 ^- x86 stable > dev-vcs/git-1.7.3.4-r1 ^- fails tests on x86, attached build log, not stable By the way, do we need to stabilize it? The previous latest stable version on x86 was 1.7.2.2, so 1.7.2.5 should be enough.
amd64 ok: I confirm that 1.7.3.4-r1 fails test.
This is my output on amd64, with FEATURES='userpriv test'. I have _ZERO_ failures. Also, please note the correct number of total tests. With FEATURES=userpriv: === ... # passed all 15 test(s) 1..15 make aggregate-results make[3]: Entering directory `/dev/shm/portage/dev-vcs/git-1.7.3.4-r1/work/git-1.7.3.4/t' for f in test-results/t*-*.counts; do \ echo "$f"; \ done | '/bin/sh' ./aggregate-results.sh fixed 0 success 6233 failed 0 broken 32 total 6348 make[3]: Leaving directory `/dev/shm/portage/dev-vcs/git-1.7.3.4-r1/work/git-1.7.3.4/t' === With FEATURES=-userpriv (so all tests that are effected by it are disabled): === ... # passed all remaining 49 test(s) 1..50 make aggregate-results make[3]: Entering directory `/dev/shm/portage/dev-vcs/git-1.7.3.4-r1/work/git-1.7.3.4/t' for f in test-results/t*-*.counts; do \ echo "$f"; \ done | '/bin/sh' ./aggregate-results.sh fixed 0 success 6080 failed 0 broken 24 total 6188 make[3]: Leaving directory `/dev/shm/portage/dev-vcs/git-1.7.3.4-r1/work/git-1.7.3.4/t' ==== Agostino Sarubbo: please attach your build.log, and can you make sure that you used FEATURES=userpriv?
Stable on alpha: =dev-vcs/git-1.6.4.5 =dev-vcs/git-1.7.2.5 =dev-vcs/git-1.7.3.4-r1
Created attachment 257697 [details] build.log merge --info Portage 2.1.9.25 (hardened/linux/amd64, gcc-4.4.4-asneeded, glibc-2.11.2-r3, 2.6.36-hardened-r2 x86_64) ================================================================= System uname: Linux-2.6.36-hardened-r2-x86_64-Intel-R-_Core-TM-_i7_CPU_920_@_2.67GHz-with-gentoo-2.0.1 Timestamp of tree: Tue, 21 Dec 2010 16:30:01 +0000 app-shells/bash: 4.1_p7 dev-lang/python: 2.6.6-r1, 3.1.2-r4 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 2.0.1-r1 sys-apps/openrc: 0.6.8 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.65-r1 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.4-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/openvpn/easy-rsa /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps y --columns" FEATURES="assume-digests binpkg-logs collision-protect distlocks fail-clean fakeroot fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict suidctl unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" GENTOO_MIRRORS="http://gentoo.mneisen.org/ http://mirror.jamit.de/gentoo/ http://mirror.netcologne.de/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-z,now -Wl,--sort-common" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--exclude lost+found" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://vireo.gentoo.org/gentoo-portage" USE="X509 acl amd64 animgif audit automap bash-completion bcmath berkdb blksha1 bzip2 caps cgi checkpath chroot clamdtop cleartype cli community corefonts cracklib crypt cscope ctype ctypes-python curl curlwrappers cxx diskio dkim dnsdb dsn eselect exceptions exif exiscan-acl expat extensions extras filter fontconfig ftp fts3 gcrypt gd gdbm geoip gif glib gmp gnutls gpg hardened hash hpn iconv icu idn imap iproute2 ipv6 ithreads jabber jpeg json justify kpoll libssh2 lzma lzo maildir managesieve mhash mktemp mmx mode-paranoid modules multilib mysql mysqli nagios-dns nagios-ntp nagios-ping nagios-ssh ncurses net nethack network-cron nptl nptlonly openmp opensslcrypt pam pcntl pcre pdo perl pic plugins png posix pth python readline reflection reload reload-error-restart rrdcgi sasl secure-delete sensord session sha512 sidebar sieve simplexml smime smp snmp soap sockets spf spl sqlite sqlite3 sse sse2 ssl ssse3 suexec svg swig syslog sysvipc threads threadsafe tokenizer tools truetype unicode unlock-notify urandom vim-syntax web webdav-neon xattr xinetd xml xmlreader xmlrpc xmlwriter xsl zip zlib zsh-completion" APACHE2_MODULES="asis actions alias auth_basic auth_digest authn_dbd authn_default authn_file authz_default authz_groupfile authz_host authz_owner authz_user autoindex cgid dbd deflate dir env expires filter headers include info log_config mime mime_magic negotiation rewrite setenvif so status unique_id userdir usertrack vhost_alias substitute" APACHE2_MPMS="worker" ELIBC="glibc" KERNEL="linux" NGINX_MODULES_HTTP="access auth_basic autoindex empty_gif fastcgi map rewrite stub_status perl" RUBY_TARGETS="ruby18" USERLAND="GNU" Unset: CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Bug #349083 shouldn't block because with FEATURES="-sandbox" tests shouldn't fail (at least for HPPA PPC). Stable for HPPA PPC.
Everybody that had a problem with 1.7.3.4-r1: The problem was a false positive triggered when the shell of the user running the testsuite was /bin/false. The return status of $SHELL was checked, and the contents of $SHELL -c 'FOO' were never running. I've fixed it in the entire 1.7.3 series now, and will send the patch to upstream shortly.
ppc64 done
x86 stable
amd64 done
alpha/arm/ia64/s390/sh/sparc stable
Thanks, folks. Closing noglsa for XSS.
(In reply to comment #15) > amd64 done > I can see only 1.6.4.4 and 1.7.2.2 stable for amd64 both of which are vulnerable.
(In reply to comment #18) > (In reply to comment #15) > > amd64 done > > > > I can see only 1.6.4.4 and 1.7.2.2 stable for amd64 both of which are > vulnerable. > Good catch; thank you. @amd64, ping?
somehow I forgot(?) to commit the stable ebuilds. Done now. Sorry for the noise
(In reply to comment #20) > somehow I forgot(?) to commit the stable ebuilds. Done now. Sorry for the noise > Not a problem; thank you.