Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Jan 2009 21:57:03 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org
Subject: Re: CVE request -- git

* Florian Weimer:

> could you please assign a CVE for this bug:
>
> | Current gitweb has a possible local privilege escalation bug that allows a
> | malicious repository owner to run a command of his choice by specifying
> | diff.external configuration variable in his repository and running a
> | crafted gitweb query.
> |
> | [...] Maintenance release v1.6.0.6, v1.5.6.6, v1.5.5.6 and v1.5.4.7
> | are already available at k.org (see the announcement for v1.6.0.6 I
> | sent out a few minutes ago), and the master branch and others pushed
> | out tonight have the same fix. [...]
>
> <http://marc.info/?l=git&m=122975564100860&w=2>

Nerver mind, Novell used CVE-2008-5517 for this.  Here's our bug
summary (the CVE description is somewhat misleading, I think):

| Local users with write access to the configuration of a Git repository
| served by gitweb could cause gitweb to execute arbitrary shell commands
| with the permission of the web server (CVE-2008-5517).

In DSA-1708-1, we use CVE-2008-5516 for these issues:

  http://repo.or.cz/w/git.git?a=commitdiff;h=516381d5
  http://repo.or.cz/w/git.git?a=commitdiff;h=c582abae

These have been fixed silently quite some time ago (in 1.5.6 and
1.5.5, respectively).

(For editorial reasons, the changelog in our DSA contains the previous
CVE assignment.)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.