| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7vhc4z1gys.fsf@gitster.siamese.dyndns.org> Date: Fri, 19 Dec 2008 22:46:51 -0800 From: Junio C Hamano <gitster@...ox.com> To: git@...r.kernel.org Cc: linux-kernel@...r.kernel.org Subject: [Security] gitweb local privilege escalation (fix) Current gitweb has a possible local privilege escalation bug that allows a malicious repository owner to run a command of his choice by specifying diff.external configuration variable in his repository and running a crafted gitweb query. Recent (post 1.4.3) gitweb itself never generates a link that would result in such a query, and the safest and cleanest fix to this issue is to simply drop the support for it. Maintenance release v1.6.0.6, v1.5.6.6, v1.5.5.6 and v1.5.4.7 are already available at k.org (see the announcement for v1.6.0.6 I sent out a few minutes ago), and the master branch and others pushed out tonight have the same fix. This message contains two patches (credits go to Matt McCutchen, Jeff King and Jakub Narebski) to do the fix yourself: (1) for Git 1.5.4.X, 1.5.5.X, and 1.5.6.X, and (2) for Git 1.6.0.X. Distro packagers and people on the vendor security list have been notified about this fix earlier this week; people running gitweb from vendor supplied binaries should be able to get updates from them as well. View attachment "0001-hotfix-1.5.456.X.txt" of type "text/plain" (2314 bytes) View attachment "0002-gitweb-hotfix-1.6.0.X.txt" of type "text/plain" (1631 bytes)
Powered by blists - more mailing lists