[gitolite/f15/master] Fix ADC security issue
Lubomir Rintel
lkundrak at fedoraproject.org
Wed Feb 16 10:20:55 UTC 2011
commit 4354431f796948c060132091c8295480a809b41b
Author: Lubomir Rintel <lkundrak at v3.sk>
Date: Tue Feb 15 12:13:42 2011 +0100
Fix ADC security issue
Dylan Alex Simon discovered and reported a directory traversal flaw in
the way Gitolite restricted access to admin defined commands ("ADC"). An
authenticated attacker could execute arbitrary code with privileges of
Gitolite server user using specially crafted command name.
The flaw does not affect default Gitolite installations. Users who have
enabled ADC in their configurations are advised to install the updated
package which includes a fix to resolve the issue.
adcfix.pre-v2.patch | 12 ++++++++++++
gitolite.spec | 5 +++++
2 files changed, 17 insertions(+), 0 deletions(-)
---
diff --git a/adcfix.pre-v2.patch b/adcfix.pre-v2.patch
new file mode 100644
index 0000000..f7a426c
--- /dev/null
+++ b/adcfix.pre-v2.patch
@@ -0,0 +1,12 @@
+diff --git i/src/gl-auth-command w/src/gl-auth-command
+index 1af4232..f3449a5 100755
+--- i/src/gl-auth-command
++++ w/src/gl-auth-command
+@@ -154,6 +154,7 @@ die "server is in slave mode; you can only fetch\n"
+ if ($GL_ADC_PATH and -d $GL_ADC_PATH) {
+ my ($cmd, @args) = split ' ', $ENV{SSH_ORIGINAL_COMMAND};
+ if (-x "$GL_ADC_PATH/$cmd") {
++ die "I don't like $cmd\n" if $cmd =~ /\.\./;
+ # yes this is rather strict, sorry.
+ do { die "I don't like $_\n" unless $_ =~ $ADC_CMD_ARGS_PATT } for ($cmd, @args);
+ &log_it("$GL_ADC_PATH/$ENV{SSH_ORIGINAL_COMMAND}");
diff --git a/gitolite.spec b/gitolite.spec
index 086e8a0..e035e0d 100644
--- a/gitolite.spec
+++ b/gitolite.spec
@@ -25,6 +25,7 @@ Source1: gitolite-README-fedora
# Far from being upstreamable
Patch0: gitolite-1.5.7-rpm.patch
Patch1: gitolite-1.4.2-conf.patch
+Patch2: adcfix.pre-v2.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildArch: noarch
@@ -55,6 +56,7 @@ elsewhere in the doc/ directory.
# Don't create backups; would mess with %%install
%patch0 -p1
%patch1 -p1
+%patch2 -p1
cp %{SOURCE1} .
@@ -114,6 +116,9 @@ exit 0
%changelog
+* Tue Feb 15 2011 Lubomir Rintel <lkundrak at v3.sk> - 1.5.8-2
+- Fix ADC security issue
+
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.5.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
More information about the scm-commits
mailing list