Bug#438494: Security bug in gforge-plugin-scmcvs
Moritz Muehlenhoff, 2007-05-21 14:26:38 +0200 :
Roland Mas wrote:
I'd like to upload a fixed package to sid and etch-security (sarge
is not affected). I'd welcome feedback on the patch
I only had a brief look at it, but I generally recommend to identify
a set of allowed and known to be secure characters and only allow
these instead of filtering potential malicious characters. So, if
the value to be sanitised is a file name you could limit it to /,
a-z, A-Z and 0-9.
The problem is that people have this tendency to put all kinds of
strange files into CVS, sometimes with strange names, so such a strict
whitelist is going to make lots of people unhappy. Especially now
UTF-8 is actually geing used more and more widely, people tend to
assume it's okay to use non-ASCII characters in file names.
If you want to filter the input as in your proposed patch please
make sure to compare your list of harmful characters against the
list from the Security Unix Programming HOWTO:
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/handle-metacharacters.html
Okay, I updated the patch. The sanitising line now looks like this:
$path_info = preg_replace ('/[][{}()\n\r\'\\\$`;|#*?^]/', , $path_info) ;
and instructions on how to do the upload the proper way. In the
meantime, I'll port the patch to the current upstream SVN
repository, and coordinate with other upstream authors so it can
get applied to all relevant branches.
If you upload a fixed package to anonymous-security, please make
sure it's build sourceful (with -sa), as gforge is new inside the
stable-security suite.
I assume you mean s/anonymous-security/stable-security/, and I just
need to change the distribution inside changelog and debuild -sa,
right?
Do other distributions include GForge? If so, I can coordinate with
other vendors through vendor-sec.
I think Ubuntu Universe includes it, and possibly other
Debian-derivatives as well, but I doubt it's in many distros. The RPM
packaging isn't really taken care of.
Roland.
--
Roland Mas
Qu'est-ce qui est jaune, qui pèse deux cents kilos et qui chante ?
Un canari. Belle bête, pas vrai ?
Bug#438494: Security bug in gforge-plugin-scmcvs
Roland Mas wrote: Bernhard R. Link [EMAIL PROTECTED] found a remote shell code injection vulnerability bug in the CVS browsing interface of Gforge, as used on Alioth and packaged in gforge-plugin-scmcvs. A specially crafted URL could execute arbitrary commands as the www-data user, as demonstrated by the following example: Which version will fix this in unstable? Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#438494: Security bug in gforge-plugin-scmcvs
Roland Mas wrote: [Cc:ing bug discoverer and Alioth admins] Bernhard R. Link [EMAIL PROTECTED] found a remote shell code injection vulnerability bug in the CVS browsing interface of Gforge, as used on Alioth and packaged in gforge-plugin-scmcvs. A specially crafted URL could execute arbitrary commands as the www-data user, as demonstrated by the following example: Joey, please assign a CVE ID. I'll release the update today. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#438494: Security bug in gforge-plugin-scmcvs
Roland Mas wrote: I'd like to upload a fixed package to sid and etch-security (sarge is not affected). I'd welcome feedback on the patch I only had a brief look at it, but I generally recommend to identify a set of allowed and known to be secure characters and only allow these instead of filtering potential malicious characters. So, if the value to be sanitised is a file name you could limit it to /, a-z, A-Z and 0-9. If you want to filter the input as in your proposed patch please make sure to compare your list of harmful characters against the list from the Security Unix Programming HOWTO: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/handle-metacharacters.html and instructions on how to do the upload the proper way. In the meantime, I'll port the patch to the current upstream SVN repository, and coordinate with other upstream authors so it can get applied to all relevant branches. If you upload a fixed package to anonymous-security, please make sure it's build sourceful (with -sa), as gforge is new inside the stable-security suite. Do other distributions include GForge? If so, I can coordinate with other vendors through vendor-sec. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#438494: Security bug in gforge-plugin-scmcvs
This one time, at band camp, Moritz Muehlenhoff said: Roland Mas wrote: I'd like to upload a fixed package to sid and etch-security (sarge is not affected). I'd welcome feedback on the patch I only had a brief look at it, but I generally recommend to identify a set of allowed and known to be secure characters and only allow these instead of filtering potential malicious characters. So, if the value to be sanitised is a file name you could limit it to /, a-z, A-Z and 0-9. If you want to filter the input as in your proposed patch please make sure to compare your list of harmful characters against the list from the Security Unix Programming HOWTO: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/handle-metacharacters.html This is also helpful: http://www.wiretrip.net/rfp/txt/phrack55.txt (aimed at perl, but the same principles apply). -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Bug#438494: Security bug in gforge-plugin-scmcvs
Moritz Muehlenhoff wrote: Roland Mas wrote: [Cc:ing bug discoverer and Alioth admins] Bernhard R. Link [EMAIL PROTECTED] found a remote shell code injection vulnerability bug in the CVS browsing interface of Gforge, as used on Alioth and packaged in gforge-plugin-scmcvs. A specially crafted URL could execute arbitrary commands as the www-data user, as demonstrated by the following example: Joey, please assign a CVE ID. I'll release the update today. Please use CVE-2007-0246. Regards, Joey -- Every use of Linux is a proper use of Linux. -- Jon 'maddog' Hall -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#438494: Security bug in gforge-plugin-scmcvs
* Roland Mas [EMAIL PROTECTED] [070521 17:04]: I only had a brief look at it, but I generally recommend to identify a set of allowed and known to be secure characters and only allow these instead of filtering potential malicious characters. So, if the value to be sanitised is a file name you could limit it to /, a-z, A-Z and 0-9. The problem is that people have this tendency to put all kinds of strange files into CVS, sometimes with strange names, so such a strict whitelist is going to make lots of people unhappy. Especially now UTF-8 is actually geing used more and more widely, people tend to assume it's okay to use non-ASCII characters in file names. I think the problem is that the argument is given within s to a shell. If it was within 's, then ' should be the only dangerous character. (At least at that point. The called program might have additional holes). Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
