Package: gitweb Version: 1.5.4 Severity: grave Tags: security Justification: user security hole
This bug report covers CVE-2008-5517. Now, correct me if I'm wrong, Gerrit, but this doesn't have anything to do with shell metacharacters, despite what the CVE claims. This actually relates to the ability to run an external diff command (diff.external). If Alice maintains a repo being hosted by Bob, she could therefore trick gitweb into invoking any executable she chooses. This is bad if gitweb is being run as a priviledged user, or if Alice is not meant to have executing rights on the server. This has been fixed in 1:1.6.0.6-1, already in experimental. It has also been fixed upstream in 1.5.6.6, although the patch[*] could be cleanly applied to lenny's 1.5.6.5 as well. [*] <http://repo.or.cz/w/git.git?a=commitdiff;h=dfff4b7aa42de7e7d58caeebe2c6128449f09b76;hp=872354dcb3ce5f34f7ddb12d2c89d26a1ea4daf0> Support for diff.external was added in 1.5.4, so this bug does not apply to sarge. -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.26 (SMP w/1 CPU core) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org