Frédéric Brière
2009-Jan-19 18:56 UTC
[Secure-testing-team] Bug#512330: gitweb: do not run "git diff" that is Porcelain
Package: gitweb Version: 1.5.4 Severity: grave Tags: security Justification: user security hole This bug report covers CVE-2008-5517. Now, correct me if I''m wrong, Gerrit, but this doesn''t have anything to do with shell metacharacters, despite what the CVE claims. This actually relates to the ability to run an external diff command (diff.external). If Alice maintains a repo being hosted by Bob, she could therefore trick gitweb into invoking any executable she chooses. This is bad if gitweb is being run as a priviledged user, or if Alice is not meant to have executing rights on the server. This has been fixed in 1:1.6.0.6-1, already in experimental. It has also been fixed upstream in 1.5.6.6, although the patch[*] could be cleanly applied to lenny''s 1.5.6.5 as well. [*] <http://repo.or.cz/w/git.git?a=commitdiff;h=dfff4b7aa42de7e7d58caeebe2c6128449f09b76;hp=872354dcb3ce5f34f7ddb12d2c89d26a1ea4daf0> Support for diff.external was added in 1.5.4, so this bug does not apply to sarge. -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, ''unstable'') Architecture: i386 (i686) Kernel: Linux 2.6.26 (SMP w/1 CPU core) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash