Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5492F801.2060102@uu.nl>
Date: Thu, 18 Dec 2014 16:51:29 +0100
From: Dawa Ometto <d.l.a.ometto@...nl>
To: <oss-security@...ts.openwall.com>
Subject: Re: CVE request: remote code execution vulnerability in gollum <
 3.1.1

Resubmitting this (while fixing version number typo in the subject-line)
since it never did receive a CVE.

On 04/12/14 22:08, Dawa Ometto wrote:
> Hi,
>
> I just released a fix for a remote code execution vulnerability in
> gollum [1]. The vulnerable code was in the gollum-grit_adapter [2] ruby
> gem dependency as of gollum v3.1.0, but the exploitable code was also
> present before that version, in the gollum-lib [3] gem dependency (code
> was abstracted from gollum-lib to the new dependency).
>
> Type of vulnerability: remote code execution
> Attack outcome: run arbitrary commands, shell access
> Vulnerable versions: gollum < 3.1.1, gollum-lib < 4.0.1,
> gollum-grit_adapter < 0.1.1
> Fix: `gem update gollum` will update the dependencies.
> Link to vulnerability/fix diff:
> https://github.com/gollum/grit_adapter/commit/4520d973c81fecfebbeacd2ef2f1849d763951c7
> Link to project issue: https://github.com/gollum/gollum/issues/913
>
> Description: The bug exploits the fact that gollum uses the grit gem for
> git repository access, which makes command-line calls to `git grep` to
> search files. `git grep` has an `-O` or `--open-files-in-pager` option
> which can spawn an arbitrary process (to act as pager). In vulnerable
> versions of gollum, searching for the string `-O<arbitrary command>` or
> `--open-files-in-pager <arbritary command>` in the wiki's search field
> will execute an arbitrary shell command. However, this will only work if
> the string "master" (or more precisely, the name of the git branch that
> gollum is using) is found in one of the wiki's files: "master" is then
> interpreted as the search query, `-O<arbitary code>` as a command line
> option to `git grep`.
>
> The fix in the `gollum-grit_adapter` gem v.0.1.1 shell-escapes the
> user's query and removes any -O or --open-file-in-pager option from it.
>
> [1] https://github.com/gollum/gollum, https://rubygems.org/gems/gollum
> [2] https://github.com/gollum/grit_adapter
> [3] https://github.com/gollum/gollum-lib
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.