rpms/git/EL-5 CVE-2008-5517.patch,NONE,1.1 git.spec,1.37,1.38
Todd M. Zullinger
tmz at fedoraproject.org
Mon Jan 12 20:07:51 UTC 2009
Author: tmz
Update of /cvs/extras/rpms/git/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv840
Modified Files:
git.spec
Added Files:
CVE-2008-5517.patch
Log Message:
* Mon Jan 12 2009 Todd Zullinger <tmz at pobox.com> 1.5.5.6-2
- Fix CVE-2008-5517, gitweb remote command injection
CVE-2008-5517.patch:
--- NEW FILE CVE-2008-5517.patch ---
>From 516381d50ba7acb66f260461f4d566ab9b6df107 Mon Sep 17 00:00:00 2001
From: Lea Wiemann <lewiemann at gmail.com>
Date: Tue, 17 Jun 2008 23:46:35 +0200
Subject: [PATCH] gitweb: quote commands properly when calling the shell
This eliminates the function git_cmd_str, which was used for composing
command lines, and adds a quote_command function, which quotes all of
its arguments (as in quote.c).
Signed-off-by: Lea Wiemann <LeWiemann at gmail.com>
Signed-off-by: Junio C Hamano <gitster at pobox.com>
---
gitweb/gitweb.perl | 24 ++++++++++++++----------
1 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 4de9647..d7ee267 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -1500,9 +1500,13 @@ sub git_cmd {
return $GIT, '--git-dir='.$git_dir;
}
-# returns path to the core git executable and the --git-dir parameter as string
-sub git_cmd_str {
- return join(' ', git_cmd());
+# quote the given arguments for passing them to the shell
+# quote_command("command", "arg 1", "arg with ' and ! characters")
+# => "'command' 'arg 1' 'arg with '\'' and '\!' characters'"
+# Try to avoid using this function wherever possible.
+sub quote_command {
+ return join(' ',
+ map( { my $a = $_; $a =~ s/(['!])/'\\$1'/g; "'$a'" } @_ ));
}
# get HEAD ref of given project as hash
@@ -4633,7 +4637,6 @@ sub git_snapshot {
$hash = git_get_head_hash($project);
}
- my $git_command = git_cmd_str();
my $name = $project;
$name =~ s,([^/])/*\.git$,$1,;
$name = basename($name);
@@ -4641,11 +4644,12 @@ sub git_snapshot {
$name =~ s/\047/\047\\\047\047/g;
my $cmd;
$filename .= "-$hash$known_snapshot_formats{$format}{'suffix'}";
- $cmd = "$git_command archive " .
- "--format=$known_snapshot_formats{$format}{'format'} " .
- "--prefix=\'$name\'/ $hash";
+ $cmd = quote_command(
+ git_cmd(), 'archive',
+ "--format=$known_snapshot_formats{$format}{'format'}",
+ "--prefix=$name/", $hash);
if (exists $known_snapshot_formats{$format}{'compressor'}) {
- $cmd .= ' | ' . join ' ', @{$known_snapshot_formats{$format}{'compressor'}};
+ $cmd .= ' | ' . quote_command(@{$known_snapshot_formats{$format}{'compressor'}});
}
print $cgi->header(
@@ -4858,8 +4862,8 @@ sub git_object {
if ($hash || ($hash_base && !defined $file_name)) {
my $object_id = $hash || $hash_base;
- my $git_command = git_cmd_str();
- open my $fd, "-|", "$git_command cat-file -t $object_id 2>/dev/null"
+ open my $fd, "-|", quote_command(
+ git_cmd(), 'cat-file', '-t', $object_id) . ' 2> /dev/null'
or die_error('404 Not Found', "Object does not exist");
$type = <$fd>;
chomp $type;
--
1.6.1
Index: git.spec
===================================================================
RCS file: /cvs/extras/rpms/git/EL-5/git.spec,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- git.spec 20 Dec 2008 18:15:40 -0000 1.37
+++ git.spec 12 Jan 2009 20:07:21 -0000 1.38
@@ -1,7 +1,7 @@
# Pass --without docs to rpmbuild if you don't want the documentation
Name: git
Version: 1.5.5.6
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Core git tools
License: GPL
Group: Development/Tools
@@ -11,6 +11,7 @@
Source2: git.xinetd
Source3: git.conf.httpd
Patch0: git-1.5-gitweb-home-link.patch
+Patch1: CVE-2008-5517.patch
BuildRequires: perl, zlib-devel >= 1.2, openssl-devel, curl-devel, expat-devel, emacs, gettext %{!?_without_docs:, xmlto, asciidoc > 6.0.3}
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -120,6 +121,7 @@
%prep
%setup -q
%patch0 -p1
+%patch1 -p1 -b .CVE-2008-5517
%build
make %{_smp_mflags} CFLAGS="$RPM_OPT_FLAGS" \
@@ -244,6 +246,9 @@
# No files for you!
%changelog
+* Mon Jan 12 2009 Todd Zullinger <tmz at pobox.com> 1.5.5.6-2
+- Fix CVE-2008-5517, gitweb remote command injection
+
* Sat Dec 20 2008 James Bowes <jbowes at redhat.com> 1.5.5.6-1
- git-1.5.5.6
More information about the fedora-extras-commits
mailing list