There was a remote code execution vulnerability in versions of gollum < 3.1.1 (just released). Technically, the bug was in the gollum-grit_adapter gem dependency which was introduced in 3.1.0, but I suspect that the same exploitable code existed in the gollum-lib dependency before that version (untested). Please update gollum to 3.1.1 (gem update gollum): that will update the dependencies. (If anyone uses gollum-lib without the gollum frontend, please gem update gollum-lib).
The bug exploits the fact that grit uses command line calls to git grep to implement search functionality. git grep takes a -O or --open-files-in-pages option that will basically pipe the results of grep to an arbitrary process. For example, in vulnerable versions of gollum, searching for -Otouch /tmp/exploittest creates the file /tmp/exploittest (but any arbitrary command will work, so that an attacker could setup shell access to the exploited server). However, this will only work if grep finds the string master (or whatever is the default branch that gollum uses) in any of the wiki's documents. See here for the vulnerable code and fix: gollum/grit_adapter@4520d97#diff-800aaf4e2265b3ff990b1d55a05996d6R140
Many thanks to @joernchen for reporting this. @sunny@bartkamphorst@jamieoliver please have a look and see if I didn't miss anything. One more reason to ditch grit in favour of rugged.
EDIT: fixed gollum version numbers
The text was updated successfully, but these errors were encountered:
There was a remote code execution vulnerability in versions of gollum <
3.1.1(just released). Technically, the bug was in thegollum-grit_adaptergem dependency which was introduced in3.1.0, but I suspect that the same exploitable code existed in thegollum-libdependency before that version (untested). Please update gollum to3.1.1(gem update gollum): that will update the dependencies. (If anyone usesgollum-libwithout thegollumfrontend, pleasegem update gollum-lib).The bug exploits the fact that
grituses command line calls togit grepto implement search functionality.git greptakes a-Oor--open-files-in-pagesoption that will basically pipe the results ofgrepto an arbitrary process. For example, in vulnerable versions of gollum, searching for-Otouch /tmp/exploittestcreates the file/tmp/exploittest(but any arbitrary command will work, so that an attacker could setup shell access to the exploited server). However, this will only work if grep finds the stringmaster(or whatever is the default branch that gollum uses) in any of the wiki's documents. See here for the vulnerable code and fix: gollum/grit_adapter@4520d97#diff-800aaf4e2265b3ff990b1d55a05996d6R140Many thanks to @joernchen for reporting this. @sunny @bartkamphorst @jamieoliver please have a look and see if I didn't miss anything. One more reason to ditch grit in favour of rugged.
EDIT: fixed gollum version numbers
The text was updated successfully, but these errors were encountered: