Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAHmME9qMafTAqWTgj6oRHmN9HZtJ8KrghR1U63H=r+jA7M3zyg@mail.gmail.com>
Date: Thu, 14 Jan 2016 15:21:36 +0100
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: "cgit@...ts.zx2c4.com" <cgit@...ts.zx2c4.com>, oss-security <oss-security@...ts.openwall.com>
Cc: Daniel Chromek <chromek@...t.sk>, 
	Krzysztof Katowicz-Kowalewski <krzysztof.kowalewski@...t.pl>, Erik Cabetas <erik@...ludesecurity.com>, 
	Konstantin Ryabitsev <mricon@...nel.org>
Subject: CVE Request: CGit - Multiple vulnerabilities

Hi folks,

Krzysztof Katowicz-Kowalewski from ESET, Erik Cabetas from Include
Security, and myself (Jason Donenfeld) from Edge Security, have found
a few vulnerabilities in CGit:


1. Reflected Cross Site Scripting & Header Injection in Mimetype Query
String [Katowicz-Kowalewski]

The ui-blob handler accepted a mimetype as a query string and then
echoed this string verbatim back. A malicious user could provide a
string like:

  http://git.zx2c4.com/cgit/blob/cgit.c?mimetype=text/html%0d%0a%0d%0a<script>xss</script>

This has been fixed by removing support for the mimetype query string parameter:
http://git.zx2c4.com/cgit/commit/?id=1c581a072651524f3b0d91f33e22a42c4166dd96
And then restricting to only generic mimetypes:
http://git.zx2c4.com/cgit/commit/?id=92996ac2a6fc4e944c3d723e12d5ab244a43508e
And finally, just in case, setting the IE anti-sniffing header as well
as a restrictive CSP header:
http://git.zx2c4.com/cgit/commit/?id=9ca2566972db968df4479108b29bb92551138b57


2. Stored Cross Site Scripting & Header Injection in Filename
Parameter [Donenfeld]

A user who has write access to the git repository could create
filenames containing new lines that would result in that filename,
including the newlines, being included in a header, resulting in
header injection and eventually XSS.

This has been fixed by properly escaping filenames in headers:
http://git.zx2c4.com/cgit/commit/?id=513b3863d999f91b47d7e9f26710390db55f9463
Additionally, while the redirect for the /about -> /about/ page does
*not* appear to be vulnerable due to mitigating conditions, the
following commit was made to similarly harden potential injections
here:
http://git.zx2c4.com/cgit/commit/?id=4291453ec30656c2f59645d8a74cf295ce0253a9

3. Stored Cross Site Scripting in Git Repo Files [Katowicz-Kowalewski]

A user who has write access to the git repository can add HTML pages
and then serve them with an HTML mimetype. A user could therefore
upload pages with malicious javascript executing in the same origin as
the cgit web site. While this is ordinarily not a problem for
single-use users - and indeed some users rather like being able to
serve html from cgit - sites that allow potentially malicious third
party users may not find this behavior desirable.

This has been fixed by adding a configuration option,
"enable-html-serving", which is by default off:
http://git.zx2c4.com/cgit/commit/?id=aaba5f8b925f44f7d5ffb0a45fe349642d478513
This flag sets anti-sniffing, CSP, and restricts mimetypes to
non-"application/" (except for application/pdf and
application/octet-stream) and non-"text/" (except for text/plain). If
you have a better idea of what sort of white/black list to use for
this, I am open to suggestions.

4. Integer Overflow resulting in Buffer Overflow [Cabetas]

ctx.env.content_length is an unsigned int, coming from the
CONTENT_LENGTH environment variable, which is parsed by strtoul. The
HTTP/1.1 spec says that "any Content-Length greater than or equal to
zero is a valid value." By storing this unsigned int into an int, we
potentially overflow it, resulting in the following bounding check
failing, leading to a buffer overflow.

This has been fixed by this commit:
http://git.zx2c4.com/cgit/commit/?id=4458abf64172a62b92810c2293450106e6dfc763


A new version containing these security fixes will be published shortly.

Thanks,
Jason

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.