Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Jan 2016 11:55:46 -0500 (EST)
Subject: Re: CVE Request: CGit - Multiple vulnerabilities

Hash: SHA256

> 1. Reflected Cross Site Scripting & Header Injection in Mimetype Query
> String [Katowicz-Kowalewski]
> The ui-blob handler accepted a mimetype as a query string and then
> echoed this string verbatim back. A malicious user could provide a
> string like:
> This has been fixed by removing support for the mimetype query string parameter:

Use CVE-2016-1899.

> And then restricting to only generic mimetypes:
> And finally, just in case, setting the IE anti-sniffing header as well
> as a restrictive CSP header:

There is no CVE ID associated with either of these other changes,
which seem to be for defense-in-depth purposes.

> 2. Stored Cross Site Scripting & Header Injection in Filename
> Parameter [Donenfeld]
> A user who has write access to the git repository could create
> filenames containing new lines that would result in that filename,
> including the newlines, being included in a header, resulting in
> header injection and eventually XSS.
> This has been fixed by properly escaping filenames in headers:

Use CVE-2016-1900.

> Additionally, while the redirect for the /about -> /about/ page does
> *not* appear to be vulnerable due to mitigating conditions, the
> following commit was made to similarly harden potential injections
> here:

There is no CVE ID associated with this additional issue.

> 3. Stored Cross Site Scripting in Git Repo Files [Katowicz-Kowalewski]
> A user who has write access to the git repository can add HTML pages
> and then serve them with an HTML mimetype. A user could therefore
> upload pages with malicious javascript executing in the same origin as
> the cgit web site. While this is ordinarily not a problem for
> single-use users - and indeed some users rather like being able to
> serve html from cgit - sites that allow potentially malicious third
> party users may not find this behavior desirable.
> This has been fixed by adding a configuration option,
> "enable-html-serving", which is by default off:
> This flag sets anti-sniffing, CSP, and restricts mimetypes to
> non-"application/" (except for application/pdf and
> application/octet-stream) and non-"text/" (except for text/plain).

There is no CVE ID associated with this report, which seems to be
about adding new security-related functionality. We realize that other
perspectives may have existed, especially because the attacker for
both 2 and 3 is "A user who has write access to the git repository."
However, we typically don't want to have a CVE for a design change
that probably breaks a number of existing installations unless
reconfigured. Also, it seems that another possibility may have been
creation of a framework for segregating the user-uploaded HTML files
into a different origin (admittedly this may not be worthwhile because
running a cgit service with two domain names probably isn't what the
ordinary cgit customer wants).

> 4. Integer Overflow resulting in Buffer Overflow [Cabetas]
> ctx.env.content_length is an unsigned int, coming from the
> CONTENT_LENGTH environment variable, which is parsed by strtoul. The
> HTTP/1.1 spec says that "any Content-Length greater than or equal to
> zero is a valid value." By storing this unsigned int into an int, we
> potentially overflow it, resulting in the following bounding check
> failing, leading to a buffer overflow.
> This has been fixed by this commit:

Use CVE-2016-1901.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ