Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Jan 2016 11:55:46 -0500 (EST)
Subject: Re: CVE Request: CGit - Multiple vulnerabilities

Hash: SHA256

> 1. Reflected Cross Site Scripting & Header Injection in Mimetype Query
> String [Katowicz-Kowalewski]
> The ui-blob handler accepted a mimetype as a query string and then
> echoed this string verbatim back. A malicious user could provide a
> string like:
> This has been fixed by removing support for the mimetype query string parameter:

Use CVE-2016-1899.

> And then restricting to only generic mimetypes:
> And finally, just in case, setting the IE anti-sniffing header as well
> as a restrictive CSP header:

There is no CVE ID associated with either of these other changes,
which seem to be for defense-in-depth purposes.

> 2. Stored Cross Site Scripting & Header Injection in Filename
> Parameter [Donenfeld]
> A user who has write access to the git repository could create
> filenames containing new lines that would result in that filename,
> including the newlines, being included in a header, resulting in
> header injection and eventually XSS.
> This has been fixed by properly escaping filenames in headers:

Use CVE-2016-1900.

> Additionally, while the redirect for the /about -> /about/ page does
> *not* appear to be vulnerable due to mitigating conditions, the
> following commit was made to similarly harden potential injections
> here:

There is no CVE ID associated with this additional issue.

> 3. Stored Cross Site Scripting in Git Repo Files [Katowicz-Kowalewski]
> A user who has write access to the git repository can add HTML pages
> and then serve them with an HTML mimetype. A user could therefore
> upload pages with malicious javascript executing in the same origin as
> the cgit web site. While this is ordinarily not a problem for
> single-use users - and indeed some users rather like being able to
> serve html from cgit - sites that allow potentially malicious third
> party users may not find this behavior desirable.
> This has been fixed by adding a configuration option,
> "enable-html-serving", which is by default off:
> This flag sets anti-sniffing, CSP, and restricts mimetypes to
> non-"application/" (except for application/pdf and
> application/octet-stream) and non-"text/" (except for text/plain).

There is no CVE ID associated with this report, which seems to be
about adding new security-related functionality. We realize that other
perspectives may have existed, especially because the attacker for
both 2 and 3 is "A user who has write access to the git repository."
However, we typically don't want to have a CVE for a design change
that probably breaks a number of existing installations unless
reconfigured. Also, it seems that another possibility may have been
creation of a framework for segregating the user-uploaded HTML files
into a different origin (admittedly this may not be worthwhile because
running a cgit service with two domain names probably isn't what the
ordinary cgit customer wants).

> 4. Integer Overflow resulting in Buffer Overflow [Cabetas]
> ctx.env.content_length is an unsigned int, coming from the
> CONTENT_LENGTH environment variable, which is parsed by strtoul. The
> HTTP/1.1 spec says that "any Content-Length greater than or equal to
> zero is a valid value." By storing this unsigned int into an int, we
> potentially overflow it, resulting in the following bounding check
> failing, leading to a buffer overflow.
> This has been fixed by this commit:

Use CVE-2016-1901.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.