--- Begin Message ---
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: lenny security
Hi,
git in lenny (and etch) suffers from Bug#607248 (cross-site scripting
vulnerability in gitweb, CVE-2010-3906). The fix has been present in
sid for about a month with no problems appearing, so I suppose it
should be safe to apply to lenny, too.
debdiff attached. Would this be ok to upload to spu?
(To save a round-trip: if you give the ok, I welcome any interested DD
to make the actual upload. Please cc me so I can test the autobuilt
binary packages.)
http://alioth.debian.org/~jrnieder-guest/git/git-core_1.5.6.5-3+lenny3.3.dsc
Thanks,
Jonathan
diff -u git-core-1.5.6.5/debian/changelog git-core-1.5.6.5/debian/changelog
--- git-core-1.5.6.5/debian/changelog
+++ git-core-1.5.6.5/debian/changelog
@@ -1,3 +1,12 @@
+git-core (1:1.5.6.5-3+lenny3.3) stable; urgency=medium
+
+ * Non-maintainer upload.
+ * debian/diff/0010-CVE-2010-3906.diff:
+ new; gitweb: do not parrot filenames or other arguments given
+ in a request without proper quoting (closes: #607248).
+
+ -- Jonathan Nieder <jrnieder@gmail.com> Thu, 13 Jan 2011 23:13:05 -0600
+
git-core (1:1.5.6.5-3+lenny3.2) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- git-core-1.5.6.5.orig/debian/diff/0010-CVE-2010-3906.diff
+++ git-core-1.5.6.5/debian/diff/0010-CVE-2010-3906.diff
@@ -0,0 +1,151 @@
+From 9b177cb2455c30aef3ff88100372cb55c7b0595d Mon Sep 17 00:00:00 2001
+From: Jakub Narebski <jnareb@gmail.com>
+Date: Wed, 15 Dec 2010 00:34:01 +0100
+Subject: gitweb: Introduce esc_attr to escape attributes of HTML elements
+
+It is needed only to escape attributes of handcrafted HTML elements,
+and not those generated using CGI.pm subroutines / methods for HTML
+generation.
+
+While at it, add esc_url and esc_html where needed, and prefer to use
+CGI.pm HTML generating methods than handcrafted HTML code. Most of
+those are probably unnecessary (could be exploited only by person with
+write access to gitweb config, or at least access to the repository).
+
+This fixes CVE-2010-3906
+
+Reported-by: Emanuele Gentili <e.gentili@tigersecurity.it>
+Helped-by: John 'Warthog9' Hawley <warthog9@kernel.org>
+Helped-by: Jonathan Nieder <jrnieder@gmail.com>
+Signed-off-by: Jakub Narebski <jnareb@gmail.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+(cherry picked from commit 3017ed62f47ce14a959e2d315c434d4980cf4243)
+Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
+---
+ gitweb/gitweb.perl | 35 +++++++++++++++++++++--------------
+ 1 files changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
+index f88ce35..6dc9a6a 100755
+--- a/gitweb/gitweb.perl
++++ b/gitweb/gitweb.perl
+@@ -730,6 +730,13 @@ sub esc_url {
+ return $str;
+ }
+
++# quote unsafe characters in HTML attributes
++sub esc_attr {
++
++ # for XHTML conformance escaping '"' to '"' is not enough
++ return esc_html(@_);
++}
++
+ # replace invalid utf8 character with SUBSTITUTION sequence
+ sub esc_html ($;%) {
+ my $str = shift;
+@@ -1106,7 +1113,7 @@ sub format_ref_marker {
+ $name = $ref;
+ }
+
+- $markers .= " <span class=\"$type\" title=\"$ref\">" .
++ $markers .= " <span class=\"".esc_attr($type)."\" title=\"".esc_attr($ref)."\">" .
+ esc_html($name) . "</span>";
+ }
+ }
+@@ -2517,11 +2524,11 @@ EOF
+ # print out each stylesheet that exist
+ if (defined $stylesheet) {
+ #provides backwards capability for those people who define style sheet in a config file
+- print '<link rel="stylesheet" type="text/css" href="'.$stylesheet.'"/>'."\n";
++ print '<link rel="stylesheet" type="text/css" href="'.esc_url($stylesheet).'"/>'."\n";
+ } else {
+ foreach my $stylesheet (@stylesheets) {
+ next unless $stylesheet;
+- print '<link rel="stylesheet" type="text/css" href="'.$stylesheet.'"/>'."\n";
++ print '<link rel="stylesheet" type="text/css" href="'.esc_url($stylesheet).'"/>'."\n";
+ }
+ }
+ if (defined $project) {
+@@ -2534,7 +2541,7 @@ EOF
+ my $type = lc($format);
+ my %link_attr = (
+ '-rel' => 'alternate',
+- '-title' => "$project - $href_params{'-title'} - $format feed",
++ '-title' => esc_attr("$project - $href_params{'-title'} - $format feed"),
+ '-type' => "application/$type+xml"
+ );
+
+@@ -2561,13 +2568,13 @@ EOF
+ } else {
+ printf('<link rel="alternate" title="%s projects list" '.
+ 'href="%s" type="text/plain; charset=utf-8" />'."\n",
+- $site_name, href(project=>undef, action=>"project_index"));
++ esc_attr($site_name), href(project=>undef, action=>"project_index"));
+ printf('<link rel="alternate" title="%s projects feeds" '.
+ 'href="%s" type="text/x-opml" />'."\n",
+- $site_name, href(project=>undef, action=>"opml"));
++ esc_attr($site_name), href(project=>undef, action=>"opml"));
+ }
+ if (defined $favicon) {
+- print qq(<link rel="shortcut icon" href="$favicon" type="image/png" />\n);
++ print qq(<link rel="shortcut icon" href=").esc_url($favicon).qq(" type="image/png" />\n);
+ }
+
+ print "</head>\n" .
+@@ -2582,7 +2589,7 @@ EOF
+ print "<div class=\"page_header\">\n" .
+ $cgi->a({-href => esc_url($logo_url),
+ -title => $logo_label},
+- qq(<img src="$logo" width="72" height="27" alt="git" class="logo"/>));
++ qq(<img src=").esc_url($logo).qq(" width="72" height="27" alt="git" class="logo"/>));
+ print $cgi->a({-href => esc_url($home_link)}, $home_link_str) . " / ";
+ if (defined $project) {
+ print $cgi->a({-href => href(action=>"summary")}, esc_html($project));
+@@ -4287,7 +4294,7 @@ HTML
+ $lineno = $4;
+ $data = $5;
+ } else {
+- print qq( <tr><td colspan="5" class="error">Unable to parse: $line</td></tr>\n);
++ print qq( <tr><td colspan="5" class="error">Unable to parse: ).esc_html($line).qq(</td></tr>\n);
+ next;
+ }
+ $short_rev = substr ($long_rev, 0, 8);
+@@ -4444,14 +4451,14 @@ sub git_blob {
+ } else {
+ print "<div class=\"page_nav\">\n" .
+ "<br/><br/></div>\n" .
+- "<div class=\"title\">$hash</div>\n";
++ "<div class=\"title\">".esc_html($hash)."</div>\n";
+ }
+ git_print_page_path($file_name, "blob", $hash_base);
+ print "<div class=\"page_body\">\n";
+ if ($mimetype =~ m!^image/!) {
+- print qq!<img type="$mimetype"!;
++ print qq!<img type="!.esc_attr($mimetype).qq!"!;
+ if ($file_name) {
+- print qq! alt="$file_name" title="$file_name"!;
++ print qq! alt="!.esc_attr($file_name).qq!" title="!.esc_attr($file_name).qq!"!;
+ }
+ print qq! src="! .
+ href(action=>"blob_plain", hash=>$hash,
+@@ -4517,7 +4524,7 @@ sub git_tree {
+ undef $hash_base;
+ print "<div class=\"page_nav\">\n";
+ print "<br/><br/></div>\n";
+- print "<div class=\"title\">$hash</div>\n";
++ print "<div class=\"title\">".esc_html($hash)."</div>\n";
+ }
+ if (defined $file_name) {
+ $basedir = $file_name;
+@@ -4942,7 +4949,7 @@ sub git_blobdiff {
+ git_print_header_div('commit', esc_html($co{'title'}), $hash_base);
+ } else {
+ print "<div class=\"page_nav\"><br/>$formats_nav<br/></div>\n";
+- print "<div class=\"title\">$hash vs $hash_parent</div>\n";
++ print "<div class=\"title\">".esc_html("$hash vs $hash_parent")."</div>\n";
+ }
+ if (defined $file_name) {
+ git_print_page_path($file_name, "blob", $hash_base);
+--
+1.7.4.rc2
+
--- End Message ---