[Secure-testing-team] Bug#512330: gitweb: do not run "git diff" that is Porcelain
Frédéric Brière
fbriere at fbriere.net
Mon Jan 19 18:56:44 UTC 2009
Package: gitweb
Version: 1.5.4
Severity: grave
Tags: security
Justification: user security hole
This bug report covers CVE-2008-5517.
Now, correct me if I'm wrong, Gerrit, but this doesn't have anything to
do with shell metacharacters, despite what the CVE claims.
This actually relates to the ability to run an external diff command
(diff.external). If Alice maintains a repo being hosted by Bob, she
could therefore trick gitweb into invoking any executable she chooses.
This is bad if gitweb is being run as a priviledged user, or if Alice is
not meant to have executing rights on the server.
This has been fixed in 1:1.6.0.6-1, already in experimental. It has
also been fixed upstream in 1.5.6.6, although the patch[*] could be
cleanly applied to lenny's 1.5.6.5 as well.
[*] <http://repo.or.cz/w/git.git?a=commitdiff;h=dfff4b7aa42de7e7d58caeebe2c6128449f09b76;hp=872354dcb3ce5f34f7ddb12d2c89d26a1ea4daf0>
Support for diff.external was added in 1.5.4, so this bug does not apply
to sarge.
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26 (SMP w/1 CPU core)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
More information about the Secure-testing-team
mailing list