Your message dated Thu, 4 Feb 2010 00:04:12 +0000
with message-id <[email protected]>
and subject line Re: Bug#567039: trac-git: Arbitrary command execution
has caused the Debian Bug report #567039,
regarding trac-git: Arbitrary command execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
567039: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567039
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: trac-git
Version: 0.0.20080710-3
Severity: grave
Tags: patch security
Justification: user security hole
The trac-git package in Debian Lenny - if enabled in Trac - allows a
remote attacker to execute arbitrary commands on the system with the
rights of the user running Trac. The attacker must have the rights to
browse the repository in order to exploit this issue, other parts of
Trac are most likely not affected.
The attached patch fixes the problem, it is not thoroughly tested,
though, but seems to work fine on my test system with a few Git
repositories.
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-lenny.2.6.26-osiris.full.0 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages trac-git depends on:
ii git-core 1:1.5.6.5-3+lenny2 fast, scalable, distributed revisi
ii python 2.5.2-3 An interactive high-level object-o
ii python-central 0.6.8 register and build utility for Pyt
ii trac 0.11.1-2.1 Enhanced wiki and issue tracking s
trac-git recommends no packages.
trac-git suggests no packages.
-- no debconf information
--- PyGIT.py.orig 2008-12-09 23:37:18.000000000 +0100
+++ PyGIT.py 2010-01-26 21:21:26.000000000 +0100
@@ -42,10 +42,9 @@
cmd.append('--git-dir=%s' % self.__git_dir)
cmd.append(gitcmd)
cmd.extend(args)
- strcmd = " ".join(cmd)
#print >>sys.stderr, "GitCore '%s'" % str(cmd)
- return Popen(strcmd, shell=True, bufsize=0, stdin=PIPE, stdout=PIPE,
stderr=PIPE, close_fds=True)
+ return Popen(cmd, shell=False, bufsize=0, stdin=PIPE, stdout=PIPE,
stderr=PIPE, close_fds=True)
def __execute(self, git_cmd, *cmd_args):
file = self.__execute2(git_cmd, *cmd_args)
--- End Message ---
--- Begin Message ---
Version: 0.0.20080710-3+lenny2
On Wed, Feb 03, 16:01:44 +0100, Florian Weimer wrote:
> Thanks. I have assigned CVE-2010-0394 to this issue.
Fixed in a new security update. Thanks to Stefan Fritsch for fixing my
screw-up in building the first package.
--
Jonny Lamb, UK
[email protected]
--- End Message ---
