** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Junio C Hamano wrote: Current gitweb has a possible local privilege escalation bug that allows a malicious repository owner to run a command of his choice by specifying diff.external configuration variable in his repository and running a crafted gitweb query. Recent (post 1.4.3) gitweb itself never generates a link that would result in such a query, and the safest and cleanest fix to this issue is to simply drop the support for it. This message contains two patches (credits go to Matt McCutchen, Jeff King and Jakub Narebski) just to do so: (1) for Git 1.5.4.X, 1.5.5.X, and 1.5.6.X, and (2) for Git 1.6.0.X. I'll be cutting real maintenance release with these patches and tagging them as 1.5.4.7, 1.5.5.6, 1.5.6.6 and 1.6.0.6 shortly (by the end of the week at the latest); I am sending these patches to distro packagers so that they can use them to hotfix their released versions that might be older than the ones listed above.
Created attachment 175628 [details, diff] gitweb hotfix for 1.5.[456].X
Created attachment 175629 [details, diff] gitweb hotfix for 1.6.0.X
We can either prestable an ebuild with the patch applied on this bug or bump the maintenance release once it's out. Robin, what do you prefer?
public now.
*** Bug 252208 has been marked as a duplicate of this bug. ***
1.6.0.6 is in the tree now. If it's got the actual fix, we should stabilize it.
Yup, it has the fix. Arches, please test and mark stable: =dev-util/git-1.6.0.6 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Sparc stable. Built with FEATURES='test userpriv' and all tests which are supposed to pass do pass.
Created attachment 176214 [details] amg64 build.log (with failing tests) This does not build on amd64 with tests enabled. (Without tests, it emerges fine and seems to work correctly.) emerge --info: Portage 2.1.4.5 (default/linux/amd64/2008.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r8 x86_64) ================================================================= System uname: 2.6.23-gentoo-r8 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 5600+ Timestamp of tree: Tue, 23 Dec 2008 12:00:01 +0000 app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7-r1, 2.1.6-r1 dev-lang/python: 2.4.4-r13, 2.5.2-r7 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.61-r2 sys-devel/automake: 1.9.6-r2, 1.10.1-r1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl amd64 berkdb bzip2 cli cracklib crypt cups dri fortran gdbm gpm iconv ipv6 isdnlog midi mmx mudflap multilib ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session spl sse sse2 ssl sysfs tcpd unicode xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
amd64/x86 stable
sg@unkreativ.org: I can't reproduce your failure here. Can you please: 1. show me: "emerge -pv dev-util/git" 2. run that testcase manually and attach the detailed output.
alpha/arm/ia64 stable and btw, tests need to be run with FEATURES="userpriv"
yeah, tests pass with FEATURES=userpriv and builds correctly on amd64. My bad. Merry christmas anyway!
Stable for HPPA.
ppc stable
s390/sh stable
ppc64 done
glsa request filed.
CVE-2008-5517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5517): The web interface in git in SUSE openSUSE 10.3 allows remote attackers to execute arbitrary commands via shell metacharacters in an unspecified context. CVE-2008-5516 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5516): The web interface in git (gitweb) 1.5.6, and possibly other versions, allows remote attackers to execute arbitrary commands via shell metacharacters related to git_search. NOTE: because of the lack of details, it is not clear whether CVE-2008-5516 and CVE-2008-5517 are distinct issues on the rPath Linux 2 platform. CVE-2008-5916 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5916): gitweb/gitweb.perl in gitweb in Git 1.6.x before 1.6.0.6, 1.5.6.x before 1.5.6.6, 1.5.5.x before 1.5.5.6, 1.5.4.x before 1.5.4.7, and other versions after 1.4.3 allows local repository owners to execute arbitrary commands by modifying the diff.external configuration variable and executing a crafted gitweb query.
*** Bug 255567 has been marked as a duplicate of this bug. ***
GLSA 200903-15
