Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5480CD52.3010509@uu.nl>
Date: Thu, 4 Dec 2014 22:08:34 +0100
From: Dawa Ometto <d.l.a.ometto@...nl>
To: <oss-security@...ts.openwall.com>
Subject: CVE request: remote code execution vulnerability in gollum < 4.0.1

Hi,

I just released a fix for a remote code execution vulnerability in
gollum [1]. The vulnerable code was in the gollum-grit_adapter [2] ruby
gem dependency as of gollum v3.1.0, but the exploitable code was also
present before that version, in the gollum-lib [3] gem dependency (code
was abstracted from gollum-lib to the new dependency).

Type of vulnerability: remote code execution
Attack outcome: run arbitrary commands, shell access
Vulnerable versions: gollum < 3.1.1, gollum-lib < 4.0.1,
gollum-grit_adapter < 0.1.1
Fix: `gem update gollum` will update the dependencies.
Link to vulnerability/fix diff:
https://github.com/gollum/grit_adapter/commit/4520d973c81fecfebbeacd2ef2f1849d763951c7
Link to project issue: https://github.com/gollum/gollum/issues/913

Description: The bug exploits the fact that gollum uses the grit gem for
git repository access, which makes command-line calls to `git grep` to
search files. `git grep` has an `-O` or `--open-files-in-pager` option
which can spawn an arbitrary process (to act as pager). In vulnerable
versions of gollum, searching for the string `-O<arbitrary command>` or
`--open-files-in-pager <arbritary command>` in the wiki's search field
will execute an arbitrary shell command. However, this will only work if
the string "master" (or more precisely, the name of the git branch that
gollum is using) is found in one of the wiki's files: "master" is then
interpreted as the search query, `-O<arbitary code>` as a command line
option to `git grep`.

The fix in the `gollum-grit_adapter` gem v.0.1.1 shell-escapes the
user's query and removes any -O or --open-file-in-pager option from it.

[1] https://github.com/gollum/gollum, https://rubygems.org/gems/gollum
[2] https://github.com/gollum/grit_adapter
[3] https://github.com/gollum/gollum-lib

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.