rpms/git/EL-5 CVE-2008-5517.patch,NONE,1.1 git.spec,1.37,1.38

Todd M. Zullinger tmz at fedoraproject.org
Mon Jan 12 20:07:51 UTC 2009


Author: tmz

Update of /cvs/extras/rpms/git/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv840

Modified Files:
	git.spec 
Added Files:
	CVE-2008-5517.patch 
Log Message:
* Mon Jan 12 2009 Todd Zullinger <tmz at pobox.com> 1.5.5.6-2
- Fix CVE-2008-5517, gitweb remote command injection


CVE-2008-5517.patch:

--- NEW FILE CVE-2008-5517.patch ---
>From 516381d50ba7acb66f260461f4d566ab9b6df107 Mon Sep 17 00:00:00 2001
From: Lea Wiemann <lewiemann at gmail.com>
Date: Tue, 17 Jun 2008 23:46:35 +0200
Subject: [PATCH] gitweb: quote commands properly when calling the shell

This eliminates the function git_cmd_str, which was used for composing
command lines, and adds a quote_command function, which quotes all of
its arguments (as in quote.c).

Signed-off-by: Lea Wiemann <LeWiemann at gmail.com>
Signed-off-by: Junio C Hamano <gitster at pobox.com>
---
 gitweb/gitweb.perl |   24 ++++++++++++++----------
 1 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 4de9647..d7ee267 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -1500,9 +1500,13 @@ sub git_cmd {
 	return $GIT, '--git-dir='.$git_dir;
 }
 
-# returns path to the core git executable and the --git-dir parameter as string
-sub git_cmd_str {
-	return join(' ', git_cmd());
+# quote the given arguments for passing them to the shell
+# quote_command("command", "arg 1", "arg with ' and ! characters")
+# => "'command' 'arg 1' 'arg with '\'' and '\!' characters'"
+# Try to avoid using this function wherever possible.
+sub quote_command {
+	return join(' ',
+		    map( { my $a = $_; $a =~ s/(['!])/'\\$1'/g; "'$a'" } @_ ));
 }
 
 # get HEAD ref of given project as hash
@@ -4633,7 +4637,6 @@ sub git_snapshot {
 		$hash = git_get_head_hash($project);
 	}
 
-	my $git_command = git_cmd_str();
 	my $name = $project;
 	$name =~ s,([^/])/*\.git$,$1,;
 	$name = basename($name);
@@ -4641,11 +4644,12 @@ sub git_snapshot {
 	$name =~ s/\047/\047\\\047\047/g;
 	my $cmd;
 	$filename .= "-$hash$known_snapshot_formats{$format}{'suffix'}";
-	$cmd = "$git_command archive " .
-		"--format=$known_snapshot_formats{$format}{'format'} " .
-		"--prefix=\'$name\'/ $hash";
+	$cmd = quote_command(
+		git_cmd(), 'archive',
+		"--format=$known_snapshot_formats{$format}{'format'}",
+		"--prefix=$name/", $hash);
 	if (exists $known_snapshot_formats{$format}{'compressor'}) {
-		$cmd .= ' | ' . join ' ', @{$known_snapshot_formats{$format}{'compressor'}};
+		$cmd .= ' | ' . quote_command(@{$known_snapshot_formats{$format}{'compressor'}});
 	}
 
 	print $cgi->header(
@@ -4858,8 +4862,8 @@ sub git_object {
 	if ($hash || ($hash_base && !defined $file_name)) {
 		my $object_id = $hash || $hash_base;
 
-		my $git_command = git_cmd_str();
-		open my $fd, "-|", "$git_command cat-file -t $object_id 2>/dev/null"
+		open my $fd, "-|", quote_command(
+			git_cmd(), 'cat-file', '-t', $object_id) . ' 2> /dev/null'
 			or die_error('404 Not Found', "Object does not exist");
 		$type = <$fd>;
 		chomp $type;
-- 
1.6.1



Index: git.spec
===================================================================
RCS file: /cvs/extras/rpms/git/EL-5/git.spec,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- git.spec	20 Dec 2008 18:15:40 -0000	1.37
+++ git.spec	12 Jan 2009 20:07:21 -0000	1.38
@@ -1,7 +1,7 @@
 # Pass --without docs to rpmbuild if you don't want the documentation
 Name: 		git
 Version: 	1.5.5.6
-Release: 	1%{?dist}
+Release: 	2%{?dist}
 Summary:  	Core git tools
 License: 	GPL
 Group: 		Development/Tools
@@ -11,6 +11,7 @@
 Source2:	git.xinetd
 Source3:	git.conf.httpd
 Patch0:		git-1.5-gitweb-home-link.patch
+Patch1:         CVE-2008-5517.patch
 BuildRequires:	perl, zlib-devel >= 1.2, openssl-devel, curl-devel, expat-devel, emacs, gettext %{!?_without_docs:, xmlto, asciidoc > 6.0.3}
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -120,6 +121,7 @@
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1 -b .CVE-2008-5517
 
 %build
 make %{_smp_mflags} CFLAGS="$RPM_OPT_FLAGS" \
@@ -244,6 +246,9 @@
 # No files for you!
 
 %changelog
+* Mon Jan 12 2009 Todd Zullinger <tmz at pobox.com> 1.5.5.6-2
+- Fix CVE-2008-5517, gitweb remote command injection
+
 * Sat Dec 20 2008 James Bowes <jbowes at redhat.com> 1.5.5.6-1
 - git-1.5.5.6
 




More information about the fedora-extras-commits mailing list