Debian Bug report logs -
#812411
cgit: CVE-2016-1899 CVE-2016-1900 CVE-2016-1901
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 23 Jan 2016 13:18:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version cgit/0.10.2.git2.0.1-3
Fixed in version cgit/0.11.2.git2.3.2-1.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alexander Wirt <formorer@debian.org>:
Bug#812411; Package src:cgit.
(Sat, 23 Jan 2016 13:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alexander Wirt <formorer@debian.org>.
(Sat, 23 Jan 2016 13:18:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cgit
Version: 0.10.2.git2.0.1-3
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerabilities were published for cgit.
CVE-2016-1899[0]:
| CRLF injection vulnerability in the ui-blob handler in CGit before
| 0.12 allows remote attackers to inject arbitrary HTTP headers and
| conduct HTTP response splitting attacks or cross-site scripting (XSS)
| attacks via CRLF sequences in the mimetype parameter, as demonstrated
| by a request to blob/cgit.c.
CVE-2016-1900[1]:
| CRLF injection vulnerability in the cgit_print_http_headers function
| in ui-shared.c in CGit before 0.12 allows remote attackers with
| permission to write to a repository to inject arbitrary HTTP headers
| and conduct HTTP response splitting attacks or cross-site scripting
| (XSS) attacks via newline characters in a filename.
CVE-2016-1901[2]:
| Integer overflow in the authenticate_post function in CGit before 0.12
| allows remote attackers to have unspecified impact via a large value
| in the Content-Length HTTP header, which triggers a buffer overflow.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-1899
[1] https://security-tracker.debian.org/tracker/CVE-2016-1900
[2] https://security-tracker.debian.org/tracker/CVE-2016-1901
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Alexander Wirt <formorer@debian.org>:
Bug#812411; Package src:cgit.
(Sun, 31 Jan 2016 18:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Alexander Wirt <formorer@debian.org>.
(Sun, 31 Jan 2016 18:39:06 GMT) (full text, mbox, link).
Message #10 received at 812411@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
Hi Alexander,
On Sat, Jan 23, 2016 at 02:16:51PM +0100, Salvatore Bonaccorso wrote:
> Source: cgit
> Version: 0.10.2.git2.0.1-3
> Severity: important
> Tags: security upstream patch fixed-upstream
>
> Hi,
>
> the following vulnerabilities were published for cgit.
>
> CVE-2016-1899[0]:
> | CRLF injection vulnerability in the ui-blob handler in CGit before
> | 0.12 allows remote attackers to inject arbitrary HTTP headers and
> | conduct HTTP response splitting attacks or cross-site scripting (XSS)
> | attacks via CRLF sequences in the mimetype parameter, as demonstrated
> | by a request to blob/cgit.c.
>
> CVE-2016-1900[1]:
> | CRLF injection vulnerability in the cgit_print_http_headers function
> | in ui-shared.c in CGit before 0.12 allows remote attackers with
> | permission to write to a repository to inject arbitrary HTTP headers
> | and conduct HTTP response splitting attacks or cross-site scripting
> | (XSS) attacks via newline characters in a filename.
>
> CVE-2016-1901[2]:
> | Integer overflow in the authenticate_post function in CGit before 0.12
> | allows remote attackers to have unspecified impact via a large value
> | in the Content-Length HTTP header, which triggers a buffer overflow.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-1899
> [1] https://security-tracker.debian.org/tracker/CVE-2016-1900
> [2] https://security-tracker.debian.org/tracker/CVE-2016-1901
Attached is proposed debdiff, but I was not able to test the resulting
package on a cgit instance. The patches are straightforward taken from
git repo.
Regards,
Salvatore
[cgit_0.11.2.git2.3.2-1.1.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Alexander Wirt <formorer@debian.org>:
Bug#812411; Package src:cgit.
(Sun, 07 Feb 2016 06:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Alexander Wirt <formorer@debian.org>.
(Sun, 07 Feb 2016 06:06:05 GMT) (full text, mbox, link).
Message #15 received at 812411@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 812411 + pending
Hi Alexander,
I've prepared an NMU for cgit (versioned as 0.11.2.git2.3.2-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[cgit-0.11.2.git2.3.2-1.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 812411-submit@bugs.debian.org.
(Sun, 07 Feb 2016 06:06:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#812411; Package src:cgit.
(Sun, 07 Feb 2016 07:48:29 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list.
(Sun, 07 Feb 2016 07:48:29 GMT) (full text, mbox, link).
Message #22 received at 812411@bugs.debian.org (full text, mbox, reply):
On Sun, 07 Feb 2016, Salvatore Bonaccorso wrote:
> Control: tags 812411 + pending
>
> Hi Alexander,
>
> I've prepared an NMU for cgit (versioned as 0.11.2.git2.3.2-1.1) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer.
Thats wonderful. Thanks for your work!
Alex
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 12 Feb 2016 06:36:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 12 Feb 2016 06:36:06 GMT) (full text, mbox, link).
Message #27 received at 812411-close@bugs.debian.org (full text, mbox, reply):
Source: cgit
Source-Version: 0.11.2.git2.3.2-1.1
We believe that the bug you reported is fixed in the latest version of
cgit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 812411@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated cgit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 27 Jan 2016 20:54:12 +0100
Source: cgit
Binary: cgit
Architecture: source
Version: 0.11.2.git2.3.2-1.1
Distribution: unstable
Urgency: medium
Maintainer: Alexander Wirt <formorer@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 812411
Description:
cgit - hyperfast web frontend for git repositories written in C
Changes:
cgit (0.11.2.git2.3.2-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2016-1899: Reflected XSS and header injection in mimetype query
string (Closes: #812411)
* CVE-2016-1900: Stored cross site scripting and header injection in
filename parameter (Closes: #812411)
* CVE-2016-1901: Integer overflow resulting in buffer overflow
(Closes: #812411)
Checksums-Sha1:
f5d9cd6be972bf1a5c56b866fc8e59f20a322e56 1847 cgit_0.11.2.git2.3.2-1.1.dsc
f9733e84899aadfcfb941231304afe6fc1d37edf 11600 cgit_0.11.2.git2.3.2-1.1.debian.tar.xz
Checksums-Sha256:
ad502bb1d3afe57d7553ef4c8c46ec317a0f5f8d032ba278bfc210bbf5addfb0 1847 cgit_0.11.2.git2.3.2-1.1.dsc
ec17cde4d4bf039c93f1f68d2c42305c24d3dc2afd0c195743fab8114aa49e7f 11600 cgit_0.11.2.git2.3.2-1.1.debian.tar.xz
Files:
4c998878c49118401bcddc4e408b56c8 1847 net extra cgit_0.11.2.git2.3.2-1.1.dsc
e4997c40d3834bc680df8c408a9b69a5 11600 net extra cgit_0.11.2.git2.3.2-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWtt2fAAoJEAVMuPMTQ89EqG0P/2ZlyMK7cZVwL3qMDcnfIlOi
jlDiiWd7cP3yPAVWdGZgqjr60wD4S4f6BBnxommRxXAowrI+XBR4UidvnDIx9ODm
rud9dGBpGZHU3iz/xFaCc4MY4TDEJfCEn4WF11L16Hi0qHE4atic4fRdZrWxuWic
Q9cvh6TRz3zwFrdsD3gfAu0ncQiXT1BRE+tm/QPFH3HY+dpOCsWLRVewk7a3fiCJ
/kRkO0eeYul9Xjy2w3Ek/zmf/V+5PfVVdwcrcG0lQvklu23HzmD4BdIBmkVYHCNd
cg++SZJEZrrDofv914QnbxZLl5NiF2Hh4Z/3WEXztW/uhYhAt/LgW/E6ydiLd2qz
fPkRpItYEV+MxKGtkFEcQ8q4aJ6yLUDJ64unCSvy/4EVjgDarHmd7uJlXR4arxqA
gOLQvrrhPgivk+lAbOF88nNE1UdETVKaQ9GIkPJimZd1j3pZBoJND1DVkj0zeA70
19pRL3sk7QAD0nyiwfC+zAMqSb0SxaBCKvOwLTKniHdF1lQVAQtv1PWPcT6Wx0MM
Pn4MdxXY0xN96+J+7PzJVX/+dFUzhkZXLVydvS3wEgeDn72gfPL+t4CZKSz/2lbD
MttYd75XrYNk2ND5vJx1F0UCxgevLerZdpgSFGCxqf/h67HSnNIJOKMVkQO53LMU
5VI/ku69NMthNzOh4cZE
=H+qW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 04 Apr 2016 07:26:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:29:18 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon