Re: CVE Request: cgit command injection

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/27/2012 08:10 PM, Jason A. Donenfeld wrote:
> Hi Kurt,
>
> From
> http://git.zx2c4.com/cgit/commit/?id=7ea35f9f8ecf61ab42be9947aae1176ab6e089bd
:
> "syntax-highlighting.sh: Fix command injection.
>
> By not quoting the argument, an attacker with the ability to add
> files to the repository could pass arbitrary arguments to the
> highlight command, in particular, the --plug-in argument which can
> lead to arbitrary command execution.
>
> This patch adds simple argument quoting."
>
>
> The vulnerable script is not a hard requirement and is more in the 
> "contrib" variety of things. That said, lots of users do wind up
> using it verbatim, as it's simple and works well, so this does
> affect a decent number of folks.
>
> The patch for it will be released in the upcoming cgit release,
> along with the previous CVE for that buffer overflow. I'll send the
> list an update when that release is made.
>
>
> Thanks, Jason

Ouch. Please use CVE-2012-4548 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQjNUrAAoJEBYNRVNeJnmTh/oP/23yPigb0OaKUljZY1ZmBJq/
DhuZLpUxqP3g4hfDXo4USBut8MLv7vksGBwJeF9D/AgAE6p3U2R7W6ycKgWX4Rvx
AXu29Eqz8IY1cxuKKrFaUbPr06sUlhnkYpVXog81+iqUlECe5MRDtr70NEJXRe9L
94DsGJglckmC6XgRZ3UwG2eracfdqTFiMQ/J8kiw7DsPAjOEZzrdp5VkoEnheLsQ
ltWNcEMh5rWfyTMv7fMyJ34JC3iDfYjkghK6ihCBlr8uSyq98gjMt27nz74twH4A
tIVtDoWoPmBXJePghnGuAI+hjtRpAWV5bwmVx78hBy+I5eUU+rW2ljOMmg3kA3lN
DTDDApnmD+WrLTyEwLTPSIAJCAKcGdtOIfYiHmLJ7E/26yyks/p2JvXexSfeWWKK
yAV9IdJdx4Wtf32Y2hYELWnQfBjx4bFoOG4QgsGrSyMi5lzVhqXJeXWsnBG9P7Mg
ZEFed2po4HjNoH4IxbQTOtW1fZmNbYDaMsMfRSqgJt27j+d7Vg/oabdxXyEbM59D
/+ELYf3twprQFkLUboLIU7LtseqOOjTYFIqYWddryXf+MJisaBNWqBkV7VV5WaTe
t+zUlWH1SWyaJ/i+WO4ddSyqNv0RI8BJOo5hyczsWsj7xXefNEGuXdlO+nhvBHmb
ijnlLFH+YHjs6fT1WBSX
=HicY
-----END PGP SIGNATURE-----