Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Mon, 19 Jan 2009 21:57:03 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org
Subject: Re: CVE request -- git

* Florian Weimer:

> could you please assign a CVE for this bug:
>
> | Current gitweb has a possible local privilege escalation bug that allows a
> | malicious repository owner to run a command of his choice by specifying
> | diff.external configuration variable in his repository and running a
> | crafted gitweb query.
> |
> | [...] Maintenance release v1.6.0.6, v1.5.6.6, v1.5.5.6 and v1.5.4.7
> | are already available at k.org (see the announcement for v1.6.0.6 I
> | sent out a few minutes ago), and the master branch and others pushed
> | out tonight have the same fix. [...]
>
> <http://marc.info/?l=git&m=122975564100860&w=2>

Nerver mind, Novell used CVE-2008-5517 for this.  Here's our bug
summary (the CVE description is somewhat misleading, I think):

| Local users with write access to the configuration of a Git repository
| served by gitweb could cause gitweb to execute arbitrary shell commands
| with the permission of the web server (CVE-2008-5517).

In DSA-1708-1, we use CVE-2008-5516 for these issues:

  http://repo.or.cz/w/git.git?a=commitdiff;h=516381d5
  http://repo.or.cz/w/git.git?a=commitdiff;h=c582abae

These have been fixed silently quite some time ago (in 1.5.6 and
1.5.5, respectively).

(For editorial reasons, the changelog in our DSA contains the previous
CVE assignment.)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux