[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#609947: pu: package git-core/1:1.5.6.5-3+lenny3.3

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: lenny security

Hi,

git in lenny (and etch) suffers from Bug#607248 (cross-site scripting
vulnerability in gitweb, CVE-2010-3906).  The fix has been present in
sid for about a month with no problems appearing, so I suppose it
should be safe to apply to lenny, too.

debdiff attached.  Would this be ok to upload to spu?

(To save a round-trip: if you give the ok, I welcome any interested DD
to make the actual upload.  Please cc me so I can test the autobuilt
binary packages.)

 http://alioth.debian.org/~jrnieder-guest/git/git-core_1.5.6.5-3+lenny3.3.dsc

Thanks,
Jonathan

diff -u git-core-1.5.6.5/debian/changelog git-core-1.5.6.5/debian/changelog
--- git-core-1.5.6.5/debian/changelog
+++ git-core-1.5.6.5/debian/changelog
@@ -1,3 +1,12 @@
+git-core (1:1.5.6.5-3+lenny3.3) stable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/diff/0010-CVE-2010-3906.diff:
+    new; gitweb: do not parrot filenames or other arguments given
+    in a request without proper quoting (closes: #607248).
+
+ -- Jonathan Nieder <jrnieder@gmail.com>  Thu, 13 Jan 2011 23:13:05 -0600
+
 git-core (1:1.5.6.5-3+lenny3.2) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- git-core-1.5.6.5.orig/debian/diff/0010-CVE-2010-3906.diff
+++ git-core-1.5.6.5/debian/diff/0010-CVE-2010-3906.diff
@@ -0,0 +1,151 @@
+From 9b177cb2455c30aef3ff88100372cb55c7b0595d Mon Sep 17 00:00:00 2001
+From: Jakub Narebski <jnareb@gmail.com>
+Date: Wed, 15 Dec 2010 00:34:01 +0100
+Subject: gitweb: Introduce esc_attr to escape attributes of HTML elements
+
+It is needed only to escape attributes of handcrafted HTML elements,
+and not those generated using CGI.pm subroutines / methods for HTML
+generation.
+
+While at it, add esc_url and esc_html where needed, and prefer to use
+CGI.pm HTML generating methods than handcrafted HTML code.  Most of
+those are probably unnecessary (could be exploited only by person with
+write access to gitweb config, or at least access to the repository).
+
+This fixes CVE-2010-3906
+
+Reported-by: Emanuele Gentili <e.gentili@tigersecurity.it>
+Helped-by: John 'Warthog9' Hawley <warthog9@kernel.org>
+Helped-by: Jonathan Nieder <jrnieder@gmail.com>
+Signed-off-by: Jakub Narebski <jnareb@gmail.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+(cherry picked from commit 3017ed62f47ce14a959e2d315c434d4980cf4243)
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+---
+ gitweb/gitweb.perl |   35 +++++++++++++++++++++--------------
+ 1 files changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
+index f88ce35..6dc9a6a 100755
+--- a/gitweb/gitweb.perl
++++ b/gitweb/gitweb.perl
+@@ -730,6 +730,13 @@ sub esc_url {
+ 	return $str;
+ }
+ 
++# quote unsafe characters in HTML attributes
++sub esc_attr {
++
++	# for XHTML conformance escaping '"' to '&quot;' is not enough
++	return esc_html(@_);
++}
++
+ # replace invalid utf8 character with SUBSTITUTION sequence
+ sub esc_html ($;%) {
+ 	my $str = shift;
+@@ -1106,7 +1113,7 @@ sub format_ref_marker {
+ 				$name = $ref;
+ 			}
+ 
+-			$markers .= " <span class=\"$type\" title=\"$ref\">" .
++			$markers .= " <span class=\"".esc_attr($type)."\" title=\"".esc_attr($ref)."\">" .
+ 			            esc_html($name) . "</span>";
+ 		}
+ 	}
+@@ -2517,11 +2524,11 @@ EOF
+ # print out each stylesheet that exist
+ 	if (defined $stylesheet) {
+ #provides backwards capability for those people who define style sheet in a config file
+-		print '<link rel="stylesheet" type="text/css" href="'.$stylesheet.'"/>'."\n";
++		print '<link rel="stylesheet" type="text/css" href="'.esc_url($stylesheet).'"/>'."\n";
+ 	} else {
+ 		foreach my $stylesheet (@stylesheets) {
+ 			next unless $stylesheet;
+-			print '<link rel="stylesheet" type="text/css" href="'.$stylesheet.'"/>'."\n";
++			print '<link rel="stylesheet" type="text/css" href="'.esc_url($stylesheet).'"/>'."\n";
+ 		}
+ 	}
+ 	if (defined $project) {
+@@ -2534,7 +2541,7 @@ EOF
+ 			my $type = lc($format);
+ 			my %link_attr = (
+ 				'-rel' => 'alternate',
+-				'-title' => "$project - $href_params{'-title'} - $format feed",
++				'-title' => esc_attr("$project - $href_params{'-title'} - $format feed"),
+ 				'-type' => "application/$type+xml"
+ 			);
+ 
+@@ -2561,13 +2568,13 @@ EOF
+ 	} else {
+ 		printf('<link rel="alternate" title="%s projects list" '.
+ 		       'href="%s" type="text/plain; charset=utf-8" />'."\n",
+-		       $site_name, href(project=>undef, action=>"project_index"));
++		       esc_attr($site_name), href(project=>undef, action=>"project_index"));
+ 		printf('<link rel="alternate" title="%s projects feeds" '.
+ 		       'href="%s" type="text/x-opml" />'."\n",
+-		       $site_name, href(project=>undef, action=>"opml"));
++		       esc_attr($site_name), href(project=>undef, action=>"opml"));
+ 	}
+ 	if (defined $favicon) {
+-		print qq(<link rel="shortcut icon" href="$favicon" type="image/png" />\n);
++		print qq(<link rel="shortcut icon" href=").esc_url($favicon).qq(" type="image/png" />\n);
+ 	}
+ 
+ 	print "</head>\n" .
+@@ -2582,7 +2589,7 @@ EOF
+ 	print "<div class=\"page_header\">\n" .
+ 	      $cgi->a({-href => esc_url($logo_url),
+ 	               -title => $logo_label},
+-	              qq(<img src="$logo" width="72" height="27" alt="git" class="logo"/>));
++	              qq(<img src=").esc_url($logo).qq(" width="72" height="27" alt="git" class="logo"/>));
+ 	print $cgi->a({-href => esc_url($home_link)}, $home_link_str) . " / ";
+ 	if (defined $project) {
+ 		print $cgi->a({-href => href(action=>"summary")}, esc_html($project));
+@@ -4287,7 +4294,7 @@ HTML
+ 			$lineno   = $4;
+ 			$data     = $5;
+ 		} else {
+-			print qq(  <tr><td colspan="5" class="error">Unable to parse: $line</td></tr>\n);
++			print qq(  <tr><td colspan="5" class="error">Unable to parse: ).esc_html($line).qq(</td></tr>\n);
+ 			next;
+ 		}
+ 		$short_rev  = substr ($long_rev, 0, 8);
+@@ -4444,14 +4451,14 @@ sub git_blob {
+ 	} else {
+ 		print "<div class=\"page_nav\">\n" .
+ 		      "<br/><br/></div>\n" .
+-		      "<div class=\"title\">$hash</div>\n";
++		      "<div class=\"title\">".esc_html($hash)."</div>\n";
+ 	}
+ 	git_print_page_path($file_name, "blob", $hash_base);
+ 	print "<div class=\"page_body\">\n";
+ 	if ($mimetype =~ m!^image/!) {
+-		print qq!<img type="$mimetype"!;
++		print qq!<img type="!.esc_attr($mimetype).qq!"!;
+ 		if ($file_name) {
+-			print qq! alt="$file_name" title="$file_name"!;
++			print qq! alt="!.esc_attr($file_name).qq!" title="!.esc_attr($file_name).qq!"!;
+ 		}
+ 		print qq! src="! .
+ 		      href(action=>"blob_plain", hash=>$hash,
+@@ -4517,7 +4524,7 @@ sub git_tree {
+ 		undef $hash_base;
+ 		print "<div class=\"page_nav\">\n";
+ 		print "<br/><br/></div>\n";
+-		print "<div class=\"title\">$hash</div>\n";
++		print "<div class=\"title\">".esc_html($hash)."</div>\n";
+ 	}
+ 	if (defined $file_name) {
+ 		$basedir = $file_name;
+@@ -4942,7 +4949,7 @@ sub git_blobdiff {
+ 			git_print_header_div('commit', esc_html($co{'title'}), $hash_base);
+ 		} else {
+ 			print "<div class=\"page_nav\"><br/>$formats_nav<br/></div>\n";
+-			print "<div class=\"title\">$hash vs $hash_parent</div>\n";
++			print "<div class=\"title\">".esc_html("$hash vs $hash_parent")."</div>\n";
+ 		}
+ 		if (defined $file_name) {
+ 			git_print_page_path($file_name, "blob", $hash_base);
+-- 
+1.7.4.rc2
+
Reply to: