Your message dated Sat, 15 Jan 2011 01:54:20 +0000 with message-id <e1pdvlq-0004qf...@franck.debian.org> and subject line Bug#607248: fixed in git-core 1:1.5.6.5-3+lenny3.3 has caused the Debian Bug report #607248, regarding gitweb: XSS vulnerability (CVE 2010-3906) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 607248: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607248 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: gitweb Version: 1:1.5.0~rc3-1 Severity: serious Tags: security patch upstream fixed-upstream Hi, As the release notes for git 1.7.2.5 explain: * "gitweb" can sometimes be tricked into parrotting a filename argument given in a request without properly quoting. Fixed by v1.6.4.5~1 (gitweb: Introduce esc_attr to escape attributes of HTML elements, 2010-12-15). Backport to 1.5.6.5 follows. -- 8< -- From: Jakub Narebski <jna...@gmail.com> Date: Wed, 15 Dec 2010 00:34:01 +0100 Subject: gitweb: Introduce esc_attr to escape attributes of HTML elements It is needed only to escape attributes of handcrafted HTML elements, and not those generated using CGI.pm subroutines / methods for HTML generation. While at it, add esc_url and esc_html where needed, and prefer to use CGI.pm HTML generating methods than handcrafted HTML code. Most of those are probably unnecessary (could be exploited only by person with write access to gitweb config, or at least access to the repository). This fixes CVE-2010-3906 Reported-by: Emanuele Gentili <e.gent...@tigersecurity.it> Helped-by: John 'Warthog9' Hawley <warth...@kernel.org> Helped-by: Jonathan Nieder <jrnie...@gmail.com> Signed-off-by: Jakub Narebski <jna...@gmail.com> Signed-off-by: Junio C Hamano <gits...@pobox.com> (cherry picked from commit 3017ed62f47ce14a959e2d315c434d4980cf4243) Signed-off-by: Jonathan Nieder <jrnie...@gmail.com> --- gitweb/gitweb.perl | 35 +++++++++++++++++++++-------------- 1 files changed, 21 insertions(+), 14 deletions(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index f88ce35..6dc9a6a 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -730,6 +730,13 @@ sub esc_url { return $str; } +# quote unsafe characters in HTML attributes +sub esc_attr { + + # for XHTML conformance escaping '"' to '"' is not enough + return esc_html(@_); +} + # replace invalid utf8 character with SUBSTITUTION sequence sub esc_html ($;%) { my $str = shift; @@ -1106,7 +1113,7 @@ sub format_ref_marker { $name = $ref; } - $markers .= " <span class=\"$type\" title=\"$ref\">" . + $markers .= " <span class=\"".esc_attr($type)."\" title=\"".esc_attr($ref)."\">" . esc_html($name) . "</span>"; } } @@ -2517,11 +2524,11 @@ EOF # print out each stylesheet that exist if (defined $stylesheet) { #provides backwards capability for those people who define style sheet in a config file - print '<link rel="stylesheet" type="text/css" href="'.$stylesheet.'"/>'."\n"; + print '<link rel="stylesheet" type="text/css" href="'.esc_url($stylesheet).'"/>'."\n"; } else { foreach my $stylesheet (@stylesheets) { next unless $stylesheet; - print '<link rel="stylesheet" type="text/css" href="'.$stylesheet.'"/>'."\n"; + print '<link rel="stylesheet" type="text/css" href="'.esc_url($stylesheet).'"/>'."\n"; } } if (defined $project) { @@ -2534,7 +2541,7 @@ EOF my $type = lc($format); my %link_attr = ( '-rel' => 'alternate', - '-title' => "$project - $href_params{'-title'} - $format feed", + '-title' => esc_attr("$project - $href_params{'-title'} - $format feed"), '-type' => "application/$type+xml" ); @@ -2561,13 +2568,13 @@ EOF } else { printf('<link rel="alternate" title="%s projects list" '. 'href="%s" type="text/plain; charset=utf-8" />'."\n", - $site_name, href(project=>undef, action=>"project_index")); + esc_attr($site_name), href(project=>undef, action=>"project_index")); printf('<link rel="alternate" title="%s projects feeds" '. 'href="%s" type="text/x-opml" />'."\n", - $site_name, href(project=>undef, action=>"opml")); + esc_attr($site_name), href(project=>undef, action=>"opml")); } if (defined $favicon) { - print qq(<link rel="shortcut icon" href="$favicon" type="image/png" />\n); + print qq(<link rel="shortcut icon" href=").esc_url($favicon).qq(" type="image/png" />\n); } print "</head>\n" . @@ -2582,7 +2589,7 @@ EOF print "<div class=\"page_header\">\n" . $cgi->a({-href => esc_url($logo_url), -title => $logo_label}, - qq(<img src="$logo" width="72" height="27" alt="git" class="logo"/>)); + qq(<img src=").esc_url($logo).qq(" width="72" height="27" alt="git" class="logo"/>)); print $cgi->a({-href => esc_url($home_link)}, $home_link_str) . " / "; if (defined $project) { print $cgi->a({-href => href(action=>"summary")}, esc_html($project)); @@ -4287,7 +4294,7 @@ HTML $lineno = $4; $data = $5; } else { - print qq( <tr><td colspan="5" class="error">Unable to parse: $line</td></tr>\n); + print qq( <tr><td colspan="5" class="error">Unable to parse: ).esc_html($line).qq(</td></tr>\n); next; } $short_rev = substr ($long_rev, 0, 8); @@ -4444,14 +4451,14 @@ sub git_blob { } else { print "<div class=\"page_nav\">\n" . "<br/><br/></div>\n" . - "<div class=\"title\">$hash</div>\n"; + "<div class=\"title\">".esc_html($hash)."</div>\n"; } git_print_page_path($file_name, "blob", $hash_base); print "<div class=\"page_body\">\n"; if ($mimetype =~ m!^image/!) { - print qq!<img type="$mimetype"!; + print qq!<img type="!.esc_attr($mimetype).qq!"!; if ($file_name) { - print qq! alt="$file_name" title="$file_name"!; + print qq! alt="!.esc_attr($file_name).qq!" title="!.esc_attr($file_name).qq!"!; } print qq! src="! . href(action=>"blob_plain", hash=>$hash, @@ -4517,7 +4524,7 @@ sub git_tree { undef $hash_base; print "<div class=\"page_nav\">\n"; print "<br/><br/></div>\n"; - print "<div class=\"title\">$hash</div>\n"; + print "<div class=\"title\">".esc_html($hash)."</div>\n"; } if (defined $file_name) { $basedir = $file_name; @@ -4942,7 +4949,7 @@ sub git_blobdiff { git_print_header_div('commit', esc_html($co{'title'}), $hash_base); } else { print "<div class=\"page_nav\"><br/>$formats_nav<br/></div>\n"; - print "<div class=\"title\">$hash vs $hash_parent</div>\n"; + print "<div class=\"title\">".esc_html("$hash vs $hash_parent")."</div>\n"; } if (defined $file_name) { git_print_page_path($file_name, "blob", $hash_base); -- 1.7.2.3
--- End Message ---
--- Begin Message ---Source: git-core Source-Version: 1:1.5.6.5-3+lenny3.3 We believe that the bug you reported is fixed in the latest version of git-core, which is due to be installed in the Debian FTP archive: git-arch_1.5.6.5-3+lenny3.3_all.deb to main/g/git-core/git-arch_1.5.6.5-3+lenny3.3_all.deb git-core_1.5.6.5-3+lenny3.3.diff.gz to main/g/git-core/git-core_1.5.6.5-3+lenny3.3.diff.gz git-core_1.5.6.5-3+lenny3.3.dsc to main/g/git-core/git-core_1.5.6.5-3+lenny3.3.dsc git-core_1.5.6.5-3+lenny3.3_amd64.deb to main/g/git-core/git-core_1.5.6.5-3+lenny3.3_amd64.deb git-cvs_1.5.6.5-3+lenny3.3_all.deb to main/g/git-core/git-cvs_1.5.6.5-3+lenny3.3_all.deb git-daemon-run_1.5.6.5-3+lenny3.3_all.deb to main/g/git-core/git-daemon-run_1.5.6.5-3+lenny3.3_all.deb git-doc_1.5.6.5-3+lenny3.3_all.deb to main/g/git-core/git-doc_1.5.6.5-3+lenny3.3_all.deb git-email_1.5.6.5-3+lenny3.3_all.deb to main/g/git-core/git-email_1.5.6.5-3+lenny3.3_all.deb git-gui_1.5.6.5-3+lenny3.3_all.deb to main/g/git-core/git-gui_1.5.6.5-3+lenny3.3_all.deb git-svn_1.5.6.5-3+lenny3.3_all.deb to main/g/git-core/git-svn_1.5.6.5-3+lenny3.3_all.deb gitk_1.5.6.5-3+lenny3.3_all.deb to main/g/git-core/gitk_1.5.6.5-3+lenny3.3_all.deb gitweb_1.5.6.5-3+lenny3.3_all.deb to main/g/git-core/gitweb_1.5.6.5-3+lenny3.3_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 607...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonathan Nieder <jrnie...@gmail.com> (supplier of updated git-core package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 13 Jan 2011 23:13:05 -0600 Source: git-core Binary: git-core git-doc git-arch git-cvs git-svn git-email git-daemon-run git-gui gitk gitweb Architecture: all amd64 source Version: 1:1.5.6.5-3+lenny3.3 Distribution: stable Urgency: medium Maintainer: Gerrit Pape <p...@smarden.org> Changed-By: Jonathan Nieder <jrnie...@gmail.com> Closes: 607248 Description: git-arch - fast, scalable, distributed revision control system (arch interop git-core - fast, scalable, distributed revision control system git-cvs - fast, scalable, distributed revision control system (cvs interope git-daemon-run - fast, scalable, distributed revision control system (git-daemon s git-doc - fast, scalable, distributed revision control system (documentatio git-email - fast, scalable, distributed revision control system (email add-on git-gui - fast, scalable, distributed revision control system (GUI) git-svn - fast, scalable, distributed revision control system (svn interope gitk - fast, scalable, distributed revision control system (revision tre gitweb - fast, scalable, distributed revision control system (web interfac Changes: git-core (1:1.5.6.5-3+lenny3.3) stable; urgency=medium . * Non-maintainer upload. * debian/diff/0010-CVE-2010-3906.diff: new; gitweb: do not parrot filenames or other arguments given in a request without proper quoting (closes: #607248). Checksums-Sha1: 07d6f5a5203bb06a632ea0dec04e418e343a5927 1980 git-core_1.5.6.5-3+lenny3.3.dsc 5d3c87ed1607617cec891bb09e8be547349aec6a 236444 git-core_1.5.6.5-3+lenny3.3.diff.gz a92c3a040537d2220bad6f1e1e77f8fabb806cce 3419280 git-core_1.5.6.5-3+lenny3.3_amd64.deb aa61cc7f492f977d492445ad8caaba29ca5cb6e1 1071780 git-doc_1.5.6.5-3+lenny3.3_all.deb 0286d6dd7eb7a90797eca23a962605133a6ca121 231288 git-arch_1.5.6.5-3+lenny3.3_all.deb 747dd77f8ebd726e1fb97b3bca07ea256ad9f4b1 267496 git-cvs_1.5.6.5-3+lenny3.3_all.deb 1061b85be8a9c1873cef6c75892209d71814cc55 268532 git-svn_1.5.6.5-3+lenny3.3_all.deb dd15d72ada884e94ef2bccf45debee231cbed443 218184 git-daemon-run_1.5.6.5-3+lenny3.3_all.deb b2e31ae937b248209275f9b1fce673d6272561a2 229570 git-email_1.5.6.5-3+lenny3.3_all.deb 3084808774c832928ba506d2767be880e76291aa 401808 git-gui_1.5.6.5-3+lenny3.3_all.deb 25142f6f5a7b7386e7b27a8d95a0121a2094dd07 298900 gitk_1.5.6.5-3+lenny3.3_all.deb a0195bbf8ed5211b5467caaffa93da1344ea353e 269568 gitweb_1.5.6.5-3+lenny3.3_all.deb Checksums-Sha256: 9139fab68512058019ce25aaac4ba7c4d655d61112e424e353a649f258074310 1980 git-core_1.5.6.5-3+lenny3.3.dsc 8b05477a2814f4f9942dac05b3c0daeedd34f80daadbb811424a50556137a9ce 236444 git-core_1.5.6.5-3+lenny3.3.diff.gz aa49c292e7e6340231219de9811013fe513f98a8f2525331fd152ac03e903e16 3419280 git-core_1.5.6.5-3+lenny3.3_amd64.deb 3769b1c3a799f772e84607b65aa682ee3581b6e00bdc34ab3bcf6a4d7dbba918 1071780 git-doc_1.5.6.5-3+lenny3.3_all.deb d21f0a06def7da02b92008f533acaa800e0d34d232a6cf4d41fef3b2075945ec 231288 git-arch_1.5.6.5-3+lenny3.3_all.deb 2b1508365d3f369d2ff4fbbe92a76c9817ae95c4f050d73a304773afa9a87f51 267496 git-cvs_1.5.6.5-3+lenny3.3_all.deb be6ae4776d7196f35bdc3419d15f62f6b5cee6c80351086daeedba6e4bed6bd1 268532 git-svn_1.5.6.5-3+lenny3.3_all.deb b3865194c246e891e98217b9b869c5631af87d0450666273b6d6eccfa1cbeef6 218184 git-daemon-run_1.5.6.5-3+lenny3.3_all.deb 0292962c68e72838cf9c36b07979cb3fe356dd683d376c585123845b69dfc37d 229570 git-email_1.5.6.5-3+lenny3.3_all.deb d524e5b2b54a35a4446841606d780d9c4ec6b6c7cf3158a6381aa6bedc955a26 401808 git-gui_1.5.6.5-3+lenny3.3_all.deb 7d841713066de624620c8f99056c9d50bd6c490b2ce3118f943353f13948eeb9 298900 gitk_1.5.6.5-3+lenny3.3_all.deb fdaf35c1cad8b1a93e6491e683b6ad58090ba52123fce72e1913f95a3047725d 269568 gitweb_1.5.6.5-3+lenny3.3_all.deb Files: 0f414e90cf0c57572342f8f825cecdf4 1980 devel optional git-core_1.5.6.5-3+lenny3.3.dsc 0a7849955855c2b9f7cb29997fd429b7 236444 devel optional git-core_1.5.6.5-3+lenny3.3.diff.gz db09869506f0391edbcb96d6eb69d038 3419280 devel optional git-core_1.5.6.5-3+lenny3.3_amd64.deb 0065dba6057ca2860f08bc763e3a9808 1071780 doc optional git-doc_1.5.6.5-3+lenny3.3_all.deb 4055dee95af9c6ad93b3f260947bea91 231288 devel optional git-arch_1.5.6.5-3+lenny3.3_all.deb d15fae0f8bec8dc7b2949dedb0647bcd 267496 devel optional git-cvs_1.5.6.5-3+lenny3.3_all.deb 508fbfe691702ca6dcad0cfc2591aa0f 268532 devel optional git-svn_1.5.6.5-3+lenny3.3_all.deb 48807adf6502c656fd029a1fda791f2e 218184 devel optional git-daemon-run_1.5.6.5-3+lenny3.3_all.deb 9f07cc0375371b169ca9d7b23ecf2d31 229570 devel optional git-email_1.5.6.5-3+lenny3.3_all.deb 267967fc21d0387840091336eb38584c 401808 devel optional git-gui_1.5.6.5-3+lenny3.3_all.deb 60b064c64392328592b1c6b4f1bef05d 298900 devel optional gitk_1.5.6.5-3+lenny3.3_all.deb ca11149d294be1740d2068a8b20a12ed 269568 devel optional gitweb_1.5.6.5-3+lenny3.3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCgAGBQJNMLjtAAoJEIATJTTdNH3IrlwP/jHDyIW+k8coeduBWSqJLcvd 3MRuovYqH76HMP6qTD0bpN+JgZ7jDpNiqHpOm05yHAzzvrm+tnQRpacu8+QjKwp8 3YBW1jpkaDHRuxhY+ZXWtqSphnPHadm3yXfSp0M1bYqImWHtl/hs2Js4e5gtXFs0 QMKka/7inmCVTt8dhSCwJ9nUwH8Z5RGt9rqZSsVgaDrA27eXYn85xPi5EZVbLKk0 lJVeVGJN7D1+bZUkKP1ozcMkqyxSYurI4HzG3k3D7tuIR5k41fZDtYJ0n0/Vnaf2 mdAIJecqUKOw5gIEiQ9GqjrYDms+6TycJ0gUUHEtBcaZN0GRDzDjGdTrDuwQ7Rba y9PmJ8R+Qb487wGYqazhii2ke/kBKKDfb83KyJE0B46H3pXCya6JkweIwm2jJkmf hShbSz5rkc8/GqZNHRKf3JKE35Pq7o5j2o9geXMdsN5mt+gqdqh3D5C9St9T6jdE JGi9j4TUxM9HSfhJPCwWxOFJnF2/sfGW/Ir/GNxkzdYmHD2VDgOAAtYLEXIQcHBd yL7emREKe9tHrA800fyh1fYrIq71qC/6Ec70OqjysT59K2XPy+9ZkLnzBnVlcIIR B1BFD+WHe+wxT3wqMgoyz/o7/0ViG+t8iFRx3uN7h2nK+3NJ4U2uKTWPmatldZ0o roYnrpWu0o1v/dO9/Dpa =EK/g -----END PGP SIGNATURE-----
--- End Message ---
