gitweb multiple remote command injections (CVE-2008-5516 CVE-2008-5517)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
git (CentOS) |
Fix Released
|
Critical
|
|||
gitweb (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
from Red Hat bugzilla https:/
gitweb/gitweb.perl has two security vulns (CVE-2008-5516 CVE-2008-5517), It can cause remote command injections.
CVE-2008-5517: mistake of git_cmd_str() / affect: < 1.5.6
http://
CVE-2008-5516: git-rev-list | git-diff-tree vuln / affect: < 1.5.5
http://
I check(only quick check!) some versions source, *may be* these packages are affected.
- Ubuntu 9.04 : 1:1.6.0.4-1ubuntu1 : not affected ( fixed in upsteram )
- Ubuntu 8.10 : 1:1.5.6.
- Ubuntu 8.04 : 1:1.5.4.3-1ubuntu2 <= CVE-2008-5517, CVE-2008-5516
- Ubuntu 7.10 : (unchecked) <= may be affected.
Changed in git: | |
status: | Unknown → Confirmed |
Changed in gitweb: | |
status: | Confirmed → In Progress |
Changed in gitweb (Ubuntu Hardy): | |
status: | New → Fix Released |
Changed in git (CentOS): | |
importance: | Unknown → Critical |
status: | Confirmed → Fix Released |
Sebastian Krahmer of the SuSE security team discovered a remote command injection flaws in the gitweb, caused by an insufficient checking of the inputs used to build argument to perl's open() function. Remote attacker could use these flaws to run arbitrary commands with the privileges of the web server executing gitweb CGI scripts.
Issues are already fixed upstream in the latest git branches. It seems that the security consequences were not noticed when fixes were applied upstream, as multiple occurrences of the similar flaws were fixed in different upstream versions:
CVE-2008-5517 repo.or. cz/w/git. git?a=commitdif f;h=516381d5
http://
(fixes issues in git_snapshot and git_object, first occurred in 1.5.6)
CVE-2008-5516 repo.or. cz/w/git. git?a=commitdif f;h=c582abae
http://
(fixes issue in git_search, first occurred in 1.5.5)
All current Fedora packages use version 1.5.6+, so neither of the issue apply to them. EPEL versions should be affected by one or both of the issues.