Ubuntu
cgit package

Directory traversal vulnerability

Bug #1787021 reported by Unit 193
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cgit (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
New
Undecided
Unassigned
Bionic
Fix Released
Undecided
Steve Beattie

Bug Description

Howdy,

The CVE says: "cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request."

This has been fixed upstream with https://git.zx2c4.com/cgit/commit/?id=53efaf30b50f095cad8c160488c74bba3e3b2680

This was fixed in Debian unstable: https://tracker.debian.org/news/979737/accepted-cgit-11git2102-31-source-into-unstable/

CVE References

Revision history for this message
Unit 193 (unit193) wrote :
Revision history for this message
Unit 193 (unit193) wrote :

I've attached two versions of this patch, one is based off the Bionic upload, the other backports the minimal NMU that cosmic has. I personally prefer the latter.

Seth Arnold (seth-arnold)
information type: Public → Public Security
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi,

I'm going to go with the first debdiff (roughly) so that our debian2ubuntu tool (http://people.canonical.com/~ubuntu-security/d2u/) can continue to identify future updates that are easy to incorporate into the bionic version. I'm also add a bug reference to the changelog.

Thanks.

Steve Beattie (sbeattie)
Changed in cgit (Ubuntu):
status: New → In Progress
assignee: nobody → Steve Beattie (sbeattie)
status: In Progress → Fix Released
Changed in cgit (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → Steve Beattie (sbeattie)
Changed in cgit (Ubuntu):
assignee: Steve Beattie (sbeattie) → nobody
Changed in cgit (Ubuntu Bionic):
status: New → In Progress
Changed in cgit (Ubuntu Xenial):
status: In Progress → New
assignee: Steve Beattie (sbeattie) → nobody
Changed in cgit (Ubuntu Bionic):
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cgit - 1.1+git2.10.2-3ubuntu0.1

---------------
cgit (1.1+git2.10.2-3ubuntu0.1) bionic-security; urgency=high

  * SECURITY UPDATE: Directory traversal vulnerability.
    - d/p/clone-fix-directory-traversal.patch:
      This fixes a directory traversal vulnerability in CGit
      before 1.2.1 when `enable-http-clone=1` is not turned off,
      as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
    - CVE-2018-14912 (LP: #1787021)

 -- Unit 193 <email address hidden> Tue, 14 Aug 2018 15:57:15 -0400

Changed in cgit (Ubuntu Bionic):
status: In Progress → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Removing ubuntu-security-sponsors from the subscriber list, as there are no more actionable items here. If anyone makes the effort to provide and test a xenial debdiff for this issue, please resubscribe the ubuntu-security-sponsors team. Thanks!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.