Debian DSA-2215-1 : gitolite - directory traversal

2011-04-11T00:00:00
ID DEBIAN_DSA-2215.NASL
Type nessus
Reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2011-04-11T00:00:00

Description

Dylan Simon discovered that gitolite, a SSH-based gatekeeper for Git repositories, is prone to directory traversal attacks when restricting admin defined commands (ADC). This allows an attacker to execute arbitrary commands with privileges of the gitolite server via crafted command names.

Please note that this only affects installations that have ADC enabled (not the Debian default).

The oldstable distribution (lenny) is not affected by this problem, it does not include gitolite.

                                        
                                            #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-2215. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(53342);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_bugtraq_id(46473);
  script_xref(name:"DSA", value:"2215");

  script_name(english:"Debian DSA-2215-1 : gitolite - directory traversal");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Dylan Simon discovered that gitolite, a SSH-based gatekeeper for Git
repositories, is prone to directory traversal attacks when restricting
admin defined commands (ADC). This allows an attacker to execute
arbitrary commands with privileges of the gitolite server via crafted
command names.

Please note that this only affects installations that have ADC enabled
(not the Debian default).

The oldstable distribution (lenny) is not affected by this problem, it
does not include gitolite."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/squeeze/gitolite"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2011/dsa-2215"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the gitolite packages.

For the stable distribution (squeeze), this problem has been fixed in
version 1.5.4-2+squeeze1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:gitolite");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2011/04/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/11");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"6.0", prefix:"gitolite", reference:"1.5.4-2+squeeze1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");