Your message dated Thu, 04 Feb 2010 13:52:43 +0000
with message-id <e1nd28r-0006wj...@ries.debian.org>
and subject line Bug#567039: fixed in trac-git 0.0.20080710-3+lenny1
has caused the Debian Bug report #567039,
regarding trac-git: Arbitrary command execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
567039: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567039
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: trac-git
Version: 0.0.20080710-3
Severity: grave
Tags: patch security
Justification: user security hole
The trac-git package in Debian Lenny - if enabled in Trac - allows a
remote attacker to execute arbitrary commands on the system with the
rights of the user running Trac. The attacker must have the rights to
browse the repository in order to exploit this issue, other parts of
Trac are most likely not affected.
The attached patch fixes the problem, it is not thoroughly tested,
though, but seems to work fine on my test system with a few Git
repositories.
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-lenny.2.6.26-osiris.full.0 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages trac-git depends on:
ii git-core 1:1.5.6.5-3+lenny2 fast, scalable, distributed revisi
ii python 2.5.2-3 An interactive high-level object-o
ii python-central 0.6.8 register and build utility for Pyt
ii trac 0.11.1-2.1 Enhanced wiki and issue tracking s
trac-git recommends no packages.
trac-git suggests no packages.
-- no debconf information
--- PyGIT.py.orig 2008-12-09 23:37:18.000000000 +0100
+++ PyGIT.py 2010-01-26 21:21:26.000000000 +0100
@@ -42,10 +42,9 @@
cmd.append('--git-dir=%s' % self.__git_dir)
cmd.append(gitcmd)
cmd.extend(args)
- strcmd = " ".join(cmd)
#print >>sys.stderr, "GitCore '%s'" % str(cmd)
- return Popen(strcmd, shell=True, bufsize=0, stdin=PIPE, stdout=PIPE,
stderr=PIPE, close_fds=True)
+ return Popen(cmd, shell=False, bufsize=0, stdin=PIPE, stdout=PIPE,
stderr=PIPE, close_fds=True)
def __execute(self, git_cmd, *cmd_args):
file = self.__execute2(git_cmd, *cmd_args)
--- End Message ---
--- Begin Message ---
Source: trac-git
Source-Version: 0.0.20080710-3+lenny1
We believe that the bug you reported is fixed in the latest version of
trac-git, which is due to be installed in the Debian FTP archive:
trac-git_0.0.20080710-3+lenny1.diff.gz
to main/t/trac-git/trac-git_0.0.20080710-3+lenny1.diff.gz
trac-git_0.0.20080710-3+lenny1.dsc
to main/t/trac-git/trac-git_0.0.20080710-3+lenny1.dsc
trac-git_0.0.20080710-3+lenny1_all.deb
to main/t/trac-git/trac-git_0.0.20080710-3+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 567...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonny Lamb <jo...@debian.org> (supplier of updated trac-git package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 03 Feb 2010 15:27:44 +0000
Source: trac-git
Binary: trac-git
Architecture: source all
Version: 0.0.20080710-3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Jonny Lamb <jo...@debian.org>
Changed-By: Jonny Lamb <jo...@debian.org>
Description:
trac-git - Git version control backend for Trac
Closes: 567039
Changes:
trac-git (0.0.20080710-3+lenny1) stable-security; urgency=high
.
* debian/patches/:
+ Updated 02-508019-defunct-processes.diff to what upstream actually
did so that we don't introduce security holes. Upstream bug (linked
to from patch) explains bug and patch more thoroughly. Thanks to
Stefan Göbel for letting us know about the bug and providing a
patch. This is CVE-2010-0394. (Closes: #567039)
Checksums-Sha1:
2803ecf3649431f5c99f6cf520a4c034c814915c 1312
trac-git_0.0.20080710-3+lenny1.dsc
62c4055570ce817e9b74150fb5dd414f4b219d7d 28505
trac-git_0.0.20080710.orig.tar.gz
ee4b9ae2921c86352defa67b89cb422126dc4804 4262
trac-git_0.0.20080710-3+lenny1.diff.gz
2f6f73f6a0d98fa275baae6c457fde3dbe3d56d2 16920
trac-git_0.0.20080710-3+lenny1_all.deb
Checksums-Sha256:
5dfb8f27cffca98018b539f5cda06435bdef7a7384c21c96605ae59179f757f9 1312
trac-git_0.0.20080710-3+lenny1.dsc
58cde4328e5907af1f0684ab154a758e0ed4e9a34fa0c9c8596a18dcccc459a4 28505
trac-git_0.0.20080710.orig.tar.gz
e73ffd86896ae9ae70757d125fd748df73d75b5f4a327b1bae715e21e5e18b5e 4262
trac-git_0.0.20080710-3+lenny1.diff.gz
14abe2f3ea18ab03f98e79b14274ef57c85b5e9f587b3ab2e73ee773d8c5c962 16920
trac-git_0.0.20080710-3+lenny1_all.deb
Files:
4357cd66c8df3ac03273f9f858d14928 1312 python optional
trac-git_0.0.20080710-3+lenny1.dsc
c8220478c501b7ab3e6df97cea6d2e26 28505 python optional
trac-git_0.0.20080710.orig.tar.gz
af5bbdd092dfe8d953bcb2183c1228c4 4262 python optional
trac-git_0.0.20080710-3+lenny1.diff.gz
d91bf3dc4b15e1c999f7dc5e65e0de65 16920 python optional
trac-git_0.0.20080710-3+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktpllMACgkQwYr7ny4DlAJsbQCdGwrCGmR6t0tzs2tIfHeM2+/+
0B8AoLEy7r/6EDdOKZbZEKfDuLIe3wrZ
=yOHj
-----END PGP SIGNATURE-----
--- End Message ---
