Your message dated Sat, 15 Jan 2011 01:54:20 +0000
with message-id <e1pdvlq-0004qf...@franck.debian.org>
and subject line Bug#607248: fixed in git-core 1:1.5.6.5-3+lenny3.3
has caused the Debian Bug report #607248,
regarding gitweb: XSS vulnerability (CVE 2010-3906)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
607248: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607248
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gitweb
Version: 1:1.5.0~rc3-1
Severity: serious
Tags: security patch upstream fixed-upstream
Hi,
As the release notes for git 1.7.2.5 explain:
* "gitweb" can sometimes be tricked into parrotting a filename argument
given in a request without properly quoting.
Fixed by v1.6.4.5~1 (gitweb: Introduce esc_attr to escape attributes
of HTML elements, 2010-12-15). Backport to 1.5.6.5 follows.
-- 8< --
From: Jakub Narebski <jna...@gmail.com>
Date: Wed, 15 Dec 2010 00:34:01 +0100
Subject: gitweb: Introduce esc_attr to escape attributes of HTML elements
It is needed only to escape attributes of handcrafted HTML elements,
and not those generated using CGI.pm subroutines / methods for HTML
generation.
While at it, add esc_url and esc_html where needed, and prefer to use
CGI.pm HTML generating methods than handcrafted HTML code. Most of
those are probably unnecessary (could be exploited only by person with
write access to gitweb config, or at least access to the repository).
This fixes CVE-2010-3906
Reported-by: Emanuele Gentili <e.gent...@tigersecurity.it>
Helped-by: John 'Warthog9' Hawley <warth...@kernel.org>
Helped-by: Jonathan Nieder <jrnie...@gmail.com>
Signed-off-by: Jakub Narebski <jna...@gmail.com>
Signed-off-by: Junio C Hamano <gits...@pobox.com>
(cherry picked from commit 3017ed62f47ce14a959e2d315c434d4980cf4243)
Signed-off-by: Jonathan Nieder <jrnie...@gmail.com>
---
gitweb/gitweb.perl | 35 +++++++++++++++++++++--------------
1 files changed, 21 insertions(+), 14 deletions(-)
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index f88ce35..6dc9a6a 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -730,6 +730,13 @@ sub esc_url {
return $str;
}
+# quote unsafe characters in HTML attributes
+sub esc_attr {
+
+ # for XHTML conformance escaping '"' to '"' is not enough
+ return esc_html(@_);
+}
+
# replace invalid utf8 character with SUBSTITUTION sequence
sub esc_html ($;%) {
my $str = shift;
@@ -1106,7 +1113,7 @@ sub format_ref_marker {
$name = $ref;
}
- $markers .= " <span class=\"$type\" title=\"$ref\">" .
+ $markers .= " <span class=\"".esc_attr($type)."\"
title=\"".esc_attr($ref)."\">" .
esc_html($name) . "</span>";
}
}
@@ -2517,11 +2524,11 @@ EOF
# print out each stylesheet that exist
if (defined $stylesheet) {
#provides backwards capability for those people who define style sheet in a
config file
- print '<link rel="stylesheet" type="text/css"
href="'.$stylesheet.'"/>'."\n";
+ print '<link rel="stylesheet" type="text/css"
href="'.esc_url($stylesheet).'"/>'."\n";
} else {
foreach my $stylesheet (@stylesheets) {
next unless $stylesheet;
- print '<link rel="stylesheet" type="text/css"
href="'.$stylesheet.'"/>'."\n";
+ print '<link rel="stylesheet" type="text/css"
href="'.esc_url($stylesheet).'"/>'."\n";
}
}
if (defined $project) {
@@ -2534,7 +2541,7 @@ EOF
my $type = lc($format);
my %link_attr = (
'-rel' => 'alternate',
- '-title' => "$project - $href_params{'-title'}
- $format feed",
+ '-title' => esc_attr("$project -
$href_params{'-title'} - $format feed"),
'-type' => "application/$type+xml"
);
@@ -2561,13 +2568,13 @@ EOF
} else {
printf('<link rel="alternate" title="%s projects list" '.
'href="%s" type="text/plain; charset=utf-8" />'."\n",
- $site_name, href(project=>undef,
action=>"project_index"));
+ esc_attr($site_name), href(project=>undef,
action=>"project_index"));
printf('<link rel="alternate" title="%s projects feeds" '.
'href="%s" type="text/x-opml" />'."\n",
- $site_name, href(project=>undef, action=>"opml"));
+ esc_attr($site_name), href(project=>undef,
action=>"opml"));
}
if (defined $favicon) {
- print qq(<link rel="shortcut icon" href="$favicon"
type="image/png" />\n);
+ print qq(<link rel="shortcut icon"
href=").esc_url($favicon).qq(" type="image/png" />\n);
}
print "</head>\n" .
@@ -2582,7 +2589,7 @@ EOF
print "<div class=\"page_header\">\n" .
$cgi->a({-href => esc_url($logo_url),
-title => $logo_label},
- qq(<img src="$logo" width="72" height="27" alt="git"
class="logo"/>));
+ qq(<img src=").esc_url($logo).qq(" width="72" height="27"
alt="git" class="logo"/>));
print $cgi->a({-href => esc_url($home_link)}, $home_link_str) . " / ";
if (defined $project) {
print $cgi->a({-href => href(action=>"summary")},
esc_html($project));
@@ -4287,7 +4294,7 @@ HTML
$lineno = $4;
$data = $5;
} else {
- print qq( <tr><td colspan="5" class="error">Unable to
parse: $line</td></tr>\n);
+ print qq( <tr><td colspan="5" class="error">Unable to
parse: ).esc_html($line).qq(</td></tr>\n);
next;
}
$short_rev = substr ($long_rev, 0, 8);
@@ -4444,14 +4451,14 @@ sub git_blob {
} else {
print "<div class=\"page_nav\">\n" .
"<br/><br/></div>\n" .
- "<div class=\"title\">$hash</div>\n";
+ "<div class=\"title\">".esc_html($hash)."</div>\n";
}
git_print_page_path($file_name, "blob", $hash_base);
print "<div class=\"page_body\">\n";
if ($mimetype =~ m!^image/!) {
- print qq!<img type="$mimetype"!;
+ print qq!<img type="!.esc_attr($mimetype).qq!"!;
if ($file_name) {
- print qq! alt="$file_name" title="$file_name"!;
+ print qq! alt="!.esc_attr($file_name).qq!"
title="!.esc_attr($file_name).qq!"!;
}
print qq! src="! .
href(action=>"blob_plain", hash=>$hash,
@@ -4517,7 +4524,7 @@ sub git_tree {
undef $hash_base;
print "<div class=\"page_nav\">\n";
print "<br/><br/></div>\n";
- print "<div class=\"title\">$hash</div>\n";
+ print "<div class=\"title\">".esc_html($hash)."</div>\n";
}
if (defined $file_name) {
$basedir = $file_name;
@@ -4942,7 +4949,7 @@ sub git_blobdiff {
git_print_header_div('commit', esc_html($co{'title'}),
$hash_base);
} else {
print "<div
class=\"page_nav\"><br/>$formats_nav<br/></div>\n";
- print "<div class=\"title\">$hash vs
$hash_parent</div>\n";
+ print "<div class=\"title\">".esc_html("$hash vs
$hash_parent")."</div>\n";
}
if (defined $file_name) {
git_print_page_path($file_name, "blob", $hash_base);
--
1.7.2.3
--- End Message ---
--- Begin Message ---
Source: git-core
Source-Version: 1:1.5.6.5-3+lenny3.3
We believe that the bug you reported is fixed in the latest version of
git-core, which is due to be installed in the Debian FTP archive:
git-arch_1.5.6.5-3+lenny3.3_all.deb
to main/g/git-core/git-arch_1.5.6.5-3+lenny3.3_all.deb
git-core_1.5.6.5-3+lenny3.3.diff.gz
to main/g/git-core/git-core_1.5.6.5-3+lenny3.3.diff.gz
git-core_1.5.6.5-3+lenny3.3.dsc
to main/g/git-core/git-core_1.5.6.5-3+lenny3.3.dsc
git-core_1.5.6.5-3+lenny3.3_amd64.deb
to main/g/git-core/git-core_1.5.6.5-3+lenny3.3_amd64.deb
git-cvs_1.5.6.5-3+lenny3.3_all.deb
to main/g/git-core/git-cvs_1.5.6.5-3+lenny3.3_all.deb
git-daemon-run_1.5.6.5-3+lenny3.3_all.deb
to main/g/git-core/git-daemon-run_1.5.6.5-3+lenny3.3_all.deb
git-doc_1.5.6.5-3+lenny3.3_all.deb
to main/g/git-core/git-doc_1.5.6.5-3+lenny3.3_all.deb
git-email_1.5.6.5-3+lenny3.3_all.deb
to main/g/git-core/git-email_1.5.6.5-3+lenny3.3_all.deb
git-gui_1.5.6.5-3+lenny3.3_all.deb
to main/g/git-core/git-gui_1.5.6.5-3+lenny3.3_all.deb
git-svn_1.5.6.5-3+lenny3.3_all.deb
to main/g/git-core/git-svn_1.5.6.5-3+lenny3.3_all.deb
gitk_1.5.6.5-3+lenny3.3_all.deb
to main/g/git-core/gitk_1.5.6.5-3+lenny3.3_all.deb
gitweb_1.5.6.5-3+lenny3.3_all.deb
to main/g/git-core/gitweb_1.5.6.5-3+lenny3.3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 607...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Nieder <jrnie...@gmail.com> (supplier of updated git-core package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 13 Jan 2011 23:13:05 -0600
Source: git-core
Binary: git-core git-doc git-arch git-cvs git-svn git-email git-daemon-run
git-gui gitk gitweb
Architecture: all amd64 source
Version: 1:1.5.6.5-3+lenny3.3
Distribution: stable
Urgency: medium
Maintainer: Gerrit Pape <p...@smarden.org>
Changed-By: Jonathan Nieder <jrnie...@gmail.com>
Closes: 607248
Description:
git-arch - fast, scalable, distributed revision control system (arch interop
git-core - fast, scalable, distributed revision control system
git-cvs - fast, scalable, distributed revision control system (cvs interope
git-daemon-run - fast, scalable, distributed revision control system
(git-daemon s
git-doc - fast, scalable, distributed revision control system (documentatio
git-email - fast, scalable, distributed revision control system (email add-on
git-gui - fast, scalable, distributed revision control system (GUI)
git-svn - fast, scalable, distributed revision control system (svn interope
gitk - fast, scalable, distributed revision control system (revision tre
gitweb - fast, scalable, distributed revision control system (web interfac
Changes:
git-core (1:1.5.6.5-3+lenny3.3) stable; urgency=medium
.
* Non-maintainer upload.
* debian/diff/0010-CVE-2010-3906.diff:
new; gitweb: do not parrot filenames or other arguments given
in a request without proper quoting (closes: #607248).
Checksums-Sha1:
07d6f5a5203bb06a632ea0dec04e418e343a5927 1980 git-core_1.5.6.5-3+lenny3.3.dsc
5d3c87ed1607617cec891bb09e8be547349aec6a 236444
git-core_1.5.6.5-3+lenny3.3.diff.gz
a92c3a040537d2220bad6f1e1e77f8fabb806cce 3419280
git-core_1.5.6.5-3+lenny3.3_amd64.deb
aa61cc7f492f977d492445ad8caaba29ca5cb6e1 1071780
git-doc_1.5.6.5-3+lenny3.3_all.deb
0286d6dd7eb7a90797eca23a962605133a6ca121 231288
git-arch_1.5.6.5-3+lenny3.3_all.deb
747dd77f8ebd726e1fb97b3bca07ea256ad9f4b1 267496
git-cvs_1.5.6.5-3+lenny3.3_all.deb
1061b85be8a9c1873cef6c75892209d71814cc55 268532
git-svn_1.5.6.5-3+lenny3.3_all.deb
dd15d72ada884e94ef2bccf45debee231cbed443 218184
git-daemon-run_1.5.6.5-3+lenny3.3_all.deb
b2e31ae937b248209275f9b1fce673d6272561a2 229570
git-email_1.5.6.5-3+lenny3.3_all.deb
3084808774c832928ba506d2767be880e76291aa 401808
git-gui_1.5.6.5-3+lenny3.3_all.deb
25142f6f5a7b7386e7b27a8d95a0121a2094dd07 298900 gitk_1.5.6.5-3+lenny3.3_all.deb
a0195bbf8ed5211b5467caaffa93da1344ea353e 269568
gitweb_1.5.6.5-3+lenny3.3_all.deb
Checksums-Sha256:
9139fab68512058019ce25aaac4ba7c4d655d61112e424e353a649f258074310 1980
git-core_1.5.6.5-3+lenny3.3.dsc
8b05477a2814f4f9942dac05b3c0daeedd34f80daadbb811424a50556137a9ce 236444
git-core_1.5.6.5-3+lenny3.3.diff.gz
aa49c292e7e6340231219de9811013fe513f98a8f2525331fd152ac03e903e16 3419280
git-core_1.5.6.5-3+lenny3.3_amd64.deb
3769b1c3a799f772e84607b65aa682ee3581b6e00bdc34ab3bcf6a4d7dbba918 1071780
git-doc_1.5.6.5-3+lenny3.3_all.deb
d21f0a06def7da02b92008f533acaa800e0d34d232a6cf4d41fef3b2075945ec 231288
git-arch_1.5.6.5-3+lenny3.3_all.deb
2b1508365d3f369d2ff4fbbe92a76c9817ae95c4f050d73a304773afa9a87f51 267496
git-cvs_1.5.6.5-3+lenny3.3_all.deb
be6ae4776d7196f35bdc3419d15f62f6b5cee6c80351086daeedba6e4bed6bd1 268532
git-svn_1.5.6.5-3+lenny3.3_all.deb
b3865194c246e891e98217b9b869c5631af87d0450666273b6d6eccfa1cbeef6 218184
git-daemon-run_1.5.6.5-3+lenny3.3_all.deb
0292962c68e72838cf9c36b07979cb3fe356dd683d376c585123845b69dfc37d 229570
git-email_1.5.6.5-3+lenny3.3_all.deb
d524e5b2b54a35a4446841606d780d9c4ec6b6c7cf3158a6381aa6bedc955a26 401808
git-gui_1.5.6.5-3+lenny3.3_all.deb
7d841713066de624620c8f99056c9d50bd6c490b2ce3118f943353f13948eeb9 298900
gitk_1.5.6.5-3+lenny3.3_all.deb
fdaf35c1cad8b1a93e6491e683b6ad58090ba52123fce72e1913f95a3047725d 269568
gitweb_1.5.6.5-3+lenny3.3_all.deb
Files:
0f414e90cf0c57572342f8f825cecdf4 1980 devel optional
git-core_1.5.6.5-3+lenny3.3.dsc
0a7849955855c2b9f7cb29997fd429b7 236444 devel optional
git-core_1.5.6.5-3+lenny3.3.diff.gz
db09869506f0391edbcb96d6eb69d038 3419280 devel optional
git-core_1.5.6.5-3+lenny3.3_amd64.deb
0065dba6057ca2860f08bc763e3a9808 1071780 doc optional
git-doc_1.5.6.5-3+lenny3.3_all.deb
4055dee95af9c6ad93b3f260947bea91 231288 devel optional
git-arch_1.5.6.5-3+lenny3.3_all.deb
d15fae0f8bec8dc7b2949dedb0647bcd 267496 devel optional
git-cvs_1.5.6.5-3+lenny3.3_all.deb
508fbfe691702ca6dcad0cfc2591aa0f 268532 devel optional
git-svn_1.5.6.5-3+lenny3.3_all.deb
48807adf6502c656fd029a1fda791f2e 218184 devel optional
git-daemon-run_1.5.6.5-3+lenny3.3_all.deb
9f07cc0375371b169ca9d7b23ecf2d31 229570 devel optional
git-email_1.5.6.5-3+lenny3.3_all.deb
267967fc21d0387840091336eb38584c 401808 devel optional
git-gui_1.5.6.5-3+lenny3.3_all.deb
60b064c64392328592b1c6b4f1bef05d 298900 devel optional
gitk_1.5.6.5-3+lenny3.3_all.deb
ca11149d294be1740d2068a8b20a12ed 269568 devel optional
gitweb_1.5.6.5-3+lenny3.3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCgAGBQJNMLjtAAoJEIATJTTdNH3IrlwP/jHDyIW+k8coeduBWSqJLcvd
3MRuovYqH76HMP6qTD0bpN+JgZ7jDpNiqHpOm05yHAzzvrm+tnQRpacu8+QjKwp8
3YBW1jpkaDHRuxhY+ZXWtqSphnPHadm3yXfSp0M1bYqImWHtl/hs2Js4e5gtXFs0
QMKka/7inmCVTt8dhSCwJ9nUwH8Z5RGt9rqZSsVgaDrA27eXYn85xPi5EZVbLKk0
lJVeVGJN7D1+bZUkKP1ozcMkqyxSYurI4HzG3k3D7tuIR5k41fZDtYJ0n0/Vnaf2
mdAIJecqUKOw5gIEiQ9GqjrYDms+6TycJ0gUUHEtBcaZN0GRDzDjGdTrDuwQ7Rba
y9PmJ8R+Qb487wGYqazhii2ke/kBKKDfb83KyJE0B46H3pXCya6JkweIwm2jJkmf
hShbSz5rkc8/GqZNHRKf3JKE35Pq7o5j2o9geXMdsN5mt+gqdqh3D5C9St9T6jdE
JGi9j4TUxM9HSfhJPCwWxOFJnF2/sfGW/Ir/GNxkzdYmHD2VDgOAAtYLEXIQcHBd
yL7emREKe9tHrA800fyh1fYrIq71qC/6Ec70OqjysT59K2XPy+9ZkLnzBnVlcIIR
B1BFD+WHe+wxT3wqMgoyz/o7/0ViG+t8iFRx3uN7h2nK+3NJ4U2uKTWPmatldZ0o
roYnrpWu0o1v/dO9/Dpa
=EK/g
-----END PGP SIGNATURE-----
--- End Message ---