Your message dated Sat, 14 Aug 2010 18:01:25 +0200
with message-id <201008141801.28659.th...@debian.org>
and subject line closing for testing/unstable aswell
has caused the Debian Bug report #567039,
regarding trac-git: Arbitrary command execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
567039: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567039
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: trac-git
Version: 0.0.20080710-3
Severity: grave
Tags: patch security
Justification: user security hole
The trac-git package in Debian Lenny - if enabled in Trac - allows a
remote attacker to execute arbitrary commands on the system with the
rights of the user running Trac. The attacker must have the rights to
browse the repository in order to exploit this issue, other parts of
Trac are most likely not affected.
The attached patch fixes the problem, it is not thoroughly tested,
though, but seems to work fine on my test system with a few Git
repositories.
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-lenny.2.6.26-osiris.full.0 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages trac-git depends on:
ii git-core 1:1.5.6.5-3+lenny2 fast, scalable, distributed revisi
ii python 2.5.2-3 An interactive high-level object-o
ii python-central 0.6.8 register and build utility for Pyt
ii trac 0.11.1-2.1 Enhanced wiki and issue tracking s
trac-git recommends no packages.
trac-git suggests no packages.
-- no debconf information
--- PyGIT.py.orig 2008-12-09 23:37:18.000000000 +0100
+++ PyGIT.py 2010-01-26 21:21:26.000000000 +0100
@@ -42,10 +42,9 @@
cmd.append('--git-dir=%s' % self.__git_dir)
cmd.append(gitcmd)
cmd.extend(args)
- strcmd = " ".join(cmd)
#print >>sys.stderr, "GitCore '%s'" % str(cmd)
- return Popen(strcmd, shell=True, bufsize=0, stdin=PIPE, stdout=PIPE,
stderr=PIPE, close_fds=True)
+ return Popen(cmd, shell=False, bufsize=0, stdin=PIPE, stdout=PIPE,
stderr=PIPE, close_fds=True)
def __execute(self, git_cmd, *cmd_args):
file = self.__execute2(git_cmd, *cmd_args)
--- End Message ---
--- Begin Message ---
Version: 0.0.20090320-1
Closing this bug with the version for testing/unstable aswell.
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
