| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <m3myerce39.fsf@localhost.localdomain> Date: Sat, 20 Dec 2008 02:54:25 -0800 (PST) From: Jakub Narebski <jnareb@...il.com> To: Junio C Hamano <gitster@...ox.com> Cc: git@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [Security] gitweb local privilege escalation (fix) Junio C Hamano <gitster@...ox.com> writes: > Current gitweb has a possible local privilege escalation bug that allows a > malicious repository owner to run a command of his choice by specifying > diff.external configuration variable in his repository and running a > crafted gitweb query. > > Recent (post 1.4.3) gitweb itself never generates a link that would result > in such a query, and the safest and cleanest fix to this issue is to > simply drop the support for it. Maintenance release v1.6.0.6, v1.5.6.6, > v1.5.5.6 and v1.5.4.7 are already available at k.org (see the announcement > for v1.6.0.6 I sent out a few minutes ago), and the master branch and > others pushed out tonight have the same fix. >From what I have found diff.external works only since v1.5.4 (see commit cbe02100), so when gitweb started using git-diff for old legacy links to not use $tmpdir and /usr/bin/diff -u it wasn't an issue... -- Jakub Narebski Poland ShadeHawk on #git -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists