Re: [Security] gitweb local privilege escalation (fix)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Junio C Hamano <gitster@xxxxxxxxx> writes:

> Current gitweb has a possible local privilege escalation bug that allows a
> malicious repository owner to run a command of his choice by specifying
> diff.external configuration variable in his repository and running a
> crafted gitweb query.
> 
> Recent (post 1.4.3) gitweb itself never generates a link that would result
> in such a query, and the safest and cleanest fix to this issue is to
> simply drop the support for it.  Maintenance release v1.6.0.6, v1.5.6.6,
> v1.5.5.6 and v1.5.4.7 are already available at k.org (see the announcement
> for v1.6.0.6 I sent out a few minutes ago), and the master branch and
> others pushed out tonight have the same fix.

>From what I have found diff.external works only since v1.5.4 (see
commit cbe02100), so when gitweb started using git-diff for old
legacy links to not use $tmpdir and /usr/bin/diff -u it wasn't an
issue...

-- 
Jakub Narebski
Poland
ShadeHawk on #git
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux