Stefan Göbel
2010-Jan-26 20:49 UTC
[Secure-testing-team] Bug#567039: trac-git: Arbitrary command execution
Package: trac-git
Version: 0.0.20080710-3
Severity: grave
Tags: patch security
Justification: user security hole
The trac-git package in Debian Lenny - if enabled in Trac - allows a
remote attacker to execute arbitrary commands on the system with the
rights of the user running Trac. The attacker must have the rights to
browse the repository in order to exploit this issue, other parts of
Trac are most likely not affected.
The attached patch fixes the problem, it is not thoroughly tested,
though, but seems to work fine on my test system with a few Git
repositories.
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, ''stable'')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-lenny.2.6.26-osiris.full.0 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages trac-git depends on:
ii git-core 1:1.5.6.5-3+lenny2 fast, scalable, distributed revisi
ii python 2.5.2-3 An interactive high-level object-o
ii python-central 0.6.8 register and build utility for Pyt
ii trac 0.11.1-2.1 Enhanced wiki and issue tracking s
trac-git recommends no packages.
trac-git suggests no packages.
-- no debconf information
-------------- next part --------------
--- PyGIT.py.orig 2008-12-09 23:37:18.000000000 +0100
+++ PyGIT.py 2010-01-26 21:21:26.000000000 +0100
@@ -42,10 +42,9 @@
cmd.append(''--git-dir=%s'' % self.__git_dir)
cmd.append(gitcmd)
cmd.extend(args)
- strcmd = " ".join(cmd)
#print >>sys.stderr, "GitCore ''%s''" %
str(cmd)
- return Popen(strcmd, shell=True, bufsize=0, stdin=PIPE, stdout=PIPE,
stderr=PIPE, close_fds=True)
+ return Popen(cmd, shell=False, bufsize=0, stdin=PIPE, stdout=PIPE,
stderr=PIPE, close_fds=True)
def __execute(self, git_cmd, *cmd_args):
file = self.__execute2(git_cmd, *cmd_args)