Re: [Security] gitweb local privilege escalation (fix)

From: Jakub Narebski
Date: Sat Dec 20 2008 - 05:54:42 EST

Next message: Vegard Nossum: "[PATCH] pci: fix no_pci_devices()"
Previous message: Vaidyanathan Srinivasan: "Re: [PATCH v7 4/8] sched: nominate preferred wakeup cpu"
In reply to: Junio C Hamano: "[Security] gitweb local privilege escalation (fix)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Junio C Hamano <gitster@xxxxxxxxx> writes:

> Current gitweb has a possible local privilege escalation bug that allows a
> malicious repository owner to run a command of his choice by specifying
> diff.external configuration variable in his repository and running a
> crafted gitweb query.
>
> Recent (post 1.4.3) gitweb itself never generates a link that would result
> in such a query, and the safest and cleanest fix to this issue is to
> simply drop the support for it. Maintenance release v1.6.0.6, v1.5.6.6,
> v1.5.5.6 and v1.5.4.7 are already available at k.org (see the announcement
> for v1.6.0.6 I sent out a few minutes ago), and the master branch and
> others pushed out tonight have the same fix.

>From what I have found diff.external works only since v1.5.4 (see
commit cbe02100), so when gitweb started using git-diff for old
legacy links to not use $tmpdir and /usr/bin/diff -u it wasn't an
issue...

--
Jakub Narebski
Poland
ShadeHawk on #git
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vegard Nossum: "[PATCH] pci: fix no_pci_devices()"
Previous message: Vaidyanathan Srinivasan: "Re: [PATCH v7 4/8] sched: nominate preferred wakeup cpu"
In reply to: Junio C Hamano: "[Security] gitweb local privilege escalation (fix)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]