Your message dated Thu, 16 Dec 2010 10:02:37 +0000 with message-id <e1ptafv-0000s2...@franck.debian.org> and subject line Bug#607248: fixed in git 1:1.7.2.3-2.2 has caused the Debian Bug report #607248, regarding gitweb: XSS vulnerability (CVE 2010-3906) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 607248: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607248 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: gitweb Version: 1:1.5.0~rc3-1 Severity: serious Tags: security patch upstream fixed-upstream Hi, As the release notes for git 1.7.2.5 explain: * "gitweb" can sometimes be tricked into parrotting a filename argument given in a request without properly quoting. Fixed by v1.6.4.5~1 (gitweb: Introduce esc_attr to escape attributes of HTML elements, 2010-12-15). Backport to 1.5.6.5 follows. -- 8< -- From: Jakub Narebski <jna...@gmail.com> Date: Wed, 15 Dec 2010 00:34:01 +0100 Subject: gitweb: Introduce esc_attr to escape attributes of HTML elements It is needed only to escape attributes of handcrafted HTML elements, and not those generated using CGI.pm subroutines / methods for HTML generation. While at it, add esc_url and esc_html where needed, and prefer to use CGI.pm HTML generating methods than handcrafted HTML code. Most of those are probably unnecessary (could be exploited only by person with write access to gitweb config, or at least access to the repository). This fixes CVE-2010-3906 Reported-by: Emanuele Gentili <e.gent...@tigersecurity.it> Helped-by: John 'Warthog9' Hawley <warth...@kernel.org> Helped-by: Jonathan Nieder <jrnie...@gmail.com> Signed-off-by: Jakub Narebski <jna...@gmail.com> Signed-off-by: Junio C Hamano <gits...@pobox.com> (cherry picked from commit 3017ed62f47ce14a959e2d315c434d4980cf4243) Signed-off-by: Jonathan Nieder <jrnie...@gmail.com> --- gitweb/gitweb.perl | 35 +++++++++++++++++++++-------------- 1 files changed, 21 insertions(+), 14 deletions(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index f88ce35..6dc9a6a 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -730,6 +730,13 @@ sub esc_url { return $str; } +# quote unsafe characters in HTML attributes +sub esc_attr { + + # for XHTML conformance escaping '"' to '"' is not enough + return esc_html(@_); +} + # replace invalid utf8 character with SUBSTITUTION sequence sub esc_html ($;%) { my $str = shift; @@ -1106,7 +1113,7 @@ sub format_ref_marker { $name = $ref; } - $markers .= " <span class=\"$type\" title=\"$ref\">" . + $markers .= " <span class=\"".esc_attr($type)."\" title=\"".esc_attr($ref)."\">" . esc_html($name) . "</span>"; } } @@ -2517,11 +2524,11 @@ EOF # print out each stylesheet that exist if (defined $stylesheet) { #provides backwards capability for those people who define style sheet in a config file - print '<link rel="stylesheet" type="text/css" href="'.$stylesheet.'"/>'."\n"; + print '<link rel="stylesheet" type="text/css" href="'.esc_url($stylesheet).'"/>'."\n"; } else { foreach my $stylesheet (@stylesheets) { next unless $stylesheet; - print '<link rel="stylesheet" type="text/css" href="'.$stylesheet.'"/>'."\n"; + print '<link rel="stylesheet" type="text/css" href="'.esc_url($stylesheet).'"/>'."\n"; } } if (defined $project) { @@ -2534,7 +2541,7 @@ EOF my $type = lc($format); my %link_attr = ( '-rel' => 'alternate', - '-title' => "$project - $href_params{'-title'} - $format feed", + '-title' => esc_attr("$project - $href_params{'-title'} - $format feed"), '-type' => "application/$type+xml" ); @@ -2561,13 +2568,13 @@ EOF } else { printf('<link rel="alternate" title="%s projects list" '. 'href="%s" type="text/plain; charset=utf-8" />'."\n", - $site_name, href(project=>undef, action=>"project_index")); + esc_attr($site_name), href(project=>undef, action=>"project_index")); printf('<link rel="alternate" title="%s projects feeds" '. 'href="%s" type="text/x-opml" />'."\n", - $site_name, href(project=>undef, action=>"opml")); + esc_attr($site_name), href(project=>undef, action=>"opml")); } if (defined $favicon) { - print qq(<link rel="shortcut icon" href="$favicon" type="image/png" />\n); + print qq(<link rel="shortcut icon" href=").esc_url($favicon).qq(" type="image/png" />\n); } print "</head>\n" . @@ -2582,7 +2589,7 @@ EOF print "<div class=\"page_header\">\n" . $cgi->a({-href => esc_url($logo_url), -title => $logo_label}, - qq(<img src="$logo" width="72" height="27" alt="git" class="logo"/>)); + qq(<img src=").esc_url($logo).qq(" width="72" height="27" alt="git" class="logo"/>)); print $cgi->a({-href => esc_url($home_link)}, $home_link_str) . " / "; if (defined $project) { print $cgi->a({-href => href(action=>"summary")}, esc_html($project)); @@ -4287,7 +4294,7 @@ HTML $lineno = $4; $data = $5; } else { - print qq( <tr><td colspan="5" class="error">Unable to parse: $line</td></tr>\n); + print qq( <tr><td colspan="5" class="error">Unable to parse: ).esc_html($line).qq(</td></tr>\n); next; } $short_rev = substr ($long_rev, 0, 8); @@ -4444,14 +4451,14 @@ sub git_blob { } else { print "<div class=\"page_nav\">\n" . "<br/><br/></div>\n" . - "<div class=\"title\">$hash</div>\n"; + "<div class=\"title\">".esc_html($hash)."</div>\n"; } git_print_page_path($file_name, "blob", $hash_base); print "<div class=\"page_body\">\n"; if ($mimetype =~ m!^image/!) { - print qq!<img type="$mimetype"!; + print qq!<img type="!.esc_attr($mimetype).qq!"!; if ($file_name) { - print qq! alt="$file_name" title="$file_name"!; + print qq! alt="!.esc_attr($file_name).qq!" title="!.esc_attr($file_name).qq!"!; } print qq! src="! . href(action=>"blob_plain", hash=>$hash, @@ -4517,7 +4524,7 @@ sub git_tree { undef $hash_base; print "<div class=\"page_nav\">\n"; print "<br/><br/></div>\n"; - print "<div class=\"title\">$hash</div>\n"; + print "<div class=\"title\">".esc_html($hash)."</div>\n"; } if (defined $file_name) { $basedir = $file_name; @@ -4942,7 +4949,7 @@ sub git_blobdiff { git_print_header_div('commit', esc_html($co{'title'}), $hash_base); } else { print "<div class=\"page_nav\"><br/>$formats_nav<br/></div>\n"; - print "<div class=\"title\">$hash vs $hash_parent</div>\n"; + print "<div class=\"title\">".esc_html("$hash vs $hash_parent")."</div>\n"; } if (defined $file_name) { git_print_page_path($file_name, "blob", $hash_base); -- 1.7.2.3
--- End Message ---
--- Begin Message ---Source: git Source-Version: 1:1.7.2.3-2.2 We believe that the bug you reported is fixed in the latest version of git, which is due to be installed in the Debian FTP archive: git-all_1.7.2.3-2.2_all.deb to main/g/git/git-all_1.7.2.3-2.2_all.deb git-arch_1.7.2.3-2.2_all.deb to main/g/git/git-arch_1.7.2.3-2.2_all.deb git-core_1.7.2.3-2.2_all.deb to main/g/git/git-core_1.7.2.3-2.2_all.deb git-cvs_1.7.2.3-2.2_all.deb to main/g/git/git-cvs_1.7.2.3-2.2_all.deb git-daemon-run_1.7.2.3-2.2_all.deb to main/g/git/git-daemon-run_1.7.2.3-2.2_all.deb git-doc_1.7.2.3-2.2_all.deb to main/g/git/git-doc_1.7.2.3-2.2_all.deb git-email_1.7.2.3-2.2_all.deb to main/g/git/git-email_1.7.2.3-2.2_all.deb git-gui_1.7.2.3-2.2_all.deb to main/g/git/git-gui_1.7.2.3-2.2_all.deb git-svn_1.7.2.3-2.2_all.deb to main/g/git/git-svn_1.7.2.3-2.2_all.deb git_1.7.2.3-2.2.diff.gz to main/g/git/git_1.7.2.3-2.2.diff.gz git_1.7.2.3-2.2.dsc to main/g/git/git_1.7.2.3-2.2.dsc git_1.7.2.3-2.2_amd64.deb to main/g/git/git_1.7.2.3-2.2_amd64.deb gitk_1.7.2.3-2.2_all.deb to main/g/git/gitk_1.7.2.3-2.2_all.deb gitweb_1.7.2.3-2.2_all.deb to main/g/git/gitweb_1.7.2.3-2.2_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 607...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonathan Nieder <jrnie...@gmail.com> (supplier of updated git package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 16 Dec 2010 01:00:30 -0600 Source: git Binary: git git-core git-doc git-arch git-cvs git-svn git-email git-daemon-run git-gui gitk gitweb git-all Architecture: source amd64 all Version: 1:1.7.2.3-2.2 Distribution: unstable Urgency: medium Maintainer: Gerrit Pape <p...@smarden.org> Changed-By: Jonathan Nieder <jrnie...@gmail.com> Description: git - fast, scalable, distributed revision control system git-all - fast, scalable, distributed revision control system (all subpacka git-arch - fast, scalable, distributed revision control system (arch interop git-core - fast, scalable, distributed revision control system (obsolete) git-cvs - fast, scalable, distributed revision control system (cvs interope git-daemon-run - fast, scalable, distributed revision control system (git-daemon s git-doc - fast, scalable, distributed revision control system (documentatio git-email - fast, scalable, distributed revision control system (email add-on git-gui - fast, scalable, distributed revision control system (GUI) git-svn - fast, scalable, distributed revision control system (svn interope gitk - fast, scalable, distributed revision control system (revision tre gitweb - fast, scalable, distributed revision control system (web interfac Closes: 607248 Changes: git (1:1.7.2.3-2.2) unstable; urgency=medium . * Non-maintainer upload. * debian/diff/0034-gitweb-Introduce-esc_attr...diff: new from upstream: gitweb: do not parrot filenames or other arguments given in a request without proper quoting (closes: #607248, CVE-2010-3906). Checksums-Sha1: 530df0098b9e0d916ec54799fc3d0391de693440 2007 git_1.7.2.3-2.2.dsc dd5a2af1e09f68f1931e58976653ef52eaa16ea8 425498 git_1.7.2.3-2.2.diff.gz 92b7339f54da7ee4190572797ee0b62a4d497673 5293432 git_1.7.2.3-2.2_amd64.deb 743d71dc150eb6319c0b7e5d6fd29094992d0f33 1786480 git-doc_1.7.2.3-2.2_all.deb 55caae2135ec8ff80c912418203a3ffbf67ec555 360700 git-arch_1.7.2.3-2.2_all.deb 8e79ceccae3963ac22b353c9d3b54d2f634645ee 430698 git-cvs_1.7.2.3-2.2_all.deb df91aa0c3d7f9f7ea7da2ceeeaa2996a1941fa32 412458 git-svn_1.7.2.3-2.2_all.deb 0105e66da51d6ec493bca5266fe4bc85813cf488 348802 git-daemon-run_1.7.2.3-2.2_all.deb 67ddbb98a4966859207ab2e8ab54a94dafef605d 365216 git-email_1.7.2.3-2.2_all.deb 38690053d9b2e0fcc067a8f8cbc81e86d41bcbad 606592 git-gui_1.7.2.3-2.2_all.deb c2acfaa71cd194b570cb64fb9ab32de2084f384e 469450 gitk_1.7.2.3-2.2_all.deb 58b62655ca4572fea2ba4a5ceedcd67334fcec4c 425016 gitweb_1.7.2.3-2.2_all.deb 4a58bd6f11a360769ca546df4000694287f8be4b 347354 git-all_1.7.2.3-2.2_all.deb d6e70c5b32141d9c3999ee6a132995fe5159f3a3 1328 git-core_1.7.2.3-2.2_all.deb Checksums-Sha256: 2381ec81f8c534cc135e092294b785c95650ea480c3f5eb6d11511f937908c1f 2007 git_1.7.2.3-2.2.dsc d611f1091a47f50678cfee669b04742d2357c98ef3cf4f7d35e714e544d82f5e 425498 git_1.7.2.3-2.2.diff.gz 7bdfa6d09a18bf59e6d62891080a4df711d436b35e6699f47ef08850e849f373 5293432 git_1.7.2.3-2.2_amd64.deb c1afdd98db712585b479b37b07d7436c9c02c4ba424bf7c652ac7b8acd7b6dce 1786480 git-doc_1.7.2.3-2.2_all.deb 3ec4e695e19e7363e5c81b6e984f1b8c5f4064bc5e71272da90bb9535daa422b 360700 git-arch_1.7.2.3-2.2_all.deb 33e641724e6a6ec1d43bb6ffab6ce4be6b632fa23c0c85e09db7a2b1233d841d 430698 git-cvs_1.7.2.3-2.2_all.deb 04846a9e0739b70c43ace77e1b908a3aacd24fdbc89dc7b7aa73fc4b38d20a3a 412458 git-svn_1.7.2.3-2.2_all.deb 72dde94e1ab567f240dd7f1b0fc7a2f2f27a546610add3ffad989475e1ced9db 348802 git-daemon-run_1.7.2.3-2.2_all.deb 3767d2591c05e353ab771c5e463c20e36bf460812cc32e48fd222ac3be5a6104 365216 git-email_1.7.2.3-2.2_all.deb dce1d37e3ac92a7439463e8e0b67b5bb854592f1d8265fba9b5362b6fa141737 606592 git-gui_1.7.2.3-2.2_all.deb fb34f241c0a821203b33265a3bddba7a94d5069df5f9c588371ec561b170355a 469450 gitk_1.7.2.3-2.2_all.deb a6efd6585862524258b012293493dc7e5e4db893471c219e54b5799f0287af0e 425016 gitweb_1.7.2.3-2.2_all.deb 411328362df59edfcb678280489dbe21f9b912d1f0d6b1418705742d6ad5ee08 347354 git-all_1.7.2.3-2.2_all.deb 3dcc9b3233574dd52c62af00c75b150850102605697c73618f903a375871e0f8 1328 git-core_1.7.2.3-2.2_all.deb Files: acc17d20f524bffb9a08da12f4caeb26 2007 vcs optional git_1.7.2.3-2.2.dsc a11499b97939c839c3616d527bc364c4 425498 vcs optional git_1.7.2.3-2.2.diff.gz b32c60999e54a2443e69292ec8998c28 5293432 vcs optional git_1.7.2.3-2.2_amd64.deb fe903255080076325595efdf186d2247 1786480 doc optional git-doc_1.7.2.3-2.2_all.deb 54ca97aa41eddd0b2d9d3cdfe44a92be 360700 vcs optional git-arch_1.7.2.3-2.2_all.deb 0dd2cca02114747977a5c1a8a47936dc 430698 vcs optional git-cvs_1.7.2.3-2.2_all.deb 8f1058b30312312be8514f36633012a0 412458 vcs optional git-svn_1.7.2.3-2.2_all.deb f9fcbed8db1555d4db807634871ecca4 348802 vcs optional git-daemon-run_1.7.2.3-2.2_all.deb e7d029437c4d9d7ed0a5a541e3e59d1d 365216 vcs optional git-email_1.7.2.3-2.2_all.deb bed4bb4048d26926b504637ecdf31cdf 606592 vcs optional git-gui_1.7.2.3-2.2_all.deb cea5d7802b3ae91867a0ee8cf09a8893 469450 vcs optional gitk_1.7.2.3-2.2_all.deb d0a2610726bcc7ebf2a9b4b995e5f3cd 425016 vcs optional gitweb_1.7.2.3-2.2_all.deb a3697d7ef95c18138b065d370cc20f87 347354 vcs optional git-all_1.7.2.3-2.2_all.deb 0afd3cc1c5abe8ae8364c856d2d43d8e 1328 vcs optional git-core_1.7.2.3-2.2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIbBAEBCAAGBQJNCd+wAAoJEGo39bHX+xdNKXQP+Iujx4eFF8bhJWr4V6Bq7cka u7JPPmwGQFAnT1s0Jk6NSUPbixoXknW81A+Xt5YrIyq8hyJJSI8ipiRDRgl2P2P8 qQ/Xk/DEHOLgS16/izDil27gektCl5bOA07v1Crz8q5fGmbRy24/CruJOI3E6zuZ WrPDitoUOWY5RjBZHyVak+6meiZa96mGdBhGFKS9+e2KCooqkNYdVn2mLC0ugqCO 8xTXX8s+VMmO9Ikn9SuH9oTvj4+ynM+YJrWmj7zJnsoDqf0V6h5LaqR6MmZg0gt4 4TnqfQbB8WQ5KILy9G2es+XKl9MMYineLof+NtB9VT0qrKDE+jgFYFxp0h4zJq/n vULehjIAXv8/fmAAMpbqS6sokZrOg8YtUA1ru53nCbgsJcXAzKZZ9DeqXiy6sZK6 2PU9kbakDRNhrPGR/EXxvuV27QhLoauknoLubr75csOjalDjHRhXYjig5d7qJND/ 5GS2rcvXY2g4TBm7lg+UVVzJAUU8ceq0vvFPqccwg9sTawfgJ5X27r1UYuIENJRl 1BTIfDt61HM4Va+9+hUkQ48u8twmr/rX47F9WaBa2daq6SL5szC4oN3Mwx4Y6PQU jxsZWx4c/vXx1izfGG+fZSd6j7HNFKzSNID6Dsu3doI8Ywozqldci4jumVm9phcJ sCFgam7eIc7G8ptXIbY= =Se4W -----END PGP SIGNATURE-----
--- End Message ---
