Remote Code Execution Vulnerability (CVE-2014-9489)

[dometto]

There was a remote code execution vulnerability in versions of gollum < 3.1.1 (just released). Technically, the bug was in the gollum-grit_adapter gem dependency which was introduced in 3.1.0, but I suspect that the same exploitable code existed in the gollum-lib dependency before that version (untested). Please update gollum to 3.1.1 (gem update gollum): that will update the dependencies. (If anyone uses gollum-lib without the gollum frontend, please gem update gollum-lib).

The bug exploits the fact that grit uses command line calls to git grep to implement search functionality. git grep takes a -O or --open-files-in-pages option that will basically pipe the results of grep to an arbitrary process. For example, in vulnerable versions of gollum, searching for -Otouch /tmp/exploittest creates the file /tmp/exploittest (but any arbitrary command will work, so that an attacker could setup shell access to the exploited server). However, this will only work if grep finds the string master (or whatever is the default branch that gollum uses) in any of the wiki's documents. See here for the vulnerable code and fix: gollum/grit_adapter@4520d97#diff-800aaf4e2265b3ff990b1d55a05996d6R140

Many thanks to @joernchen for reporting this. @sunny @bartkamphorst @jamieoliver please have a look and see if I didn't miss anything. One more reason to ditch grit in favour of rugged.

EDIT: fixed gollum version numbers

[dometto]

EDIT: fixed in original message.

[dometto]

I submitted a CVE request twice but got no response.

[fgeek]

CVE is assigned now. Please use CVE-2014-9489, thank you.