Re: CVE request -- git

[Florian Weimer <fw () deneb enyo de>]

* Florian Weimer:

> could you please assign a CVE for this bug:
>
> | Current gitweb has a possible local privilege escalation bug that allows a
> | malicious repository owner to run a command of his choice by specifying
> | diff.external configuration variable in his repository and running a
> | crafted gitweb query.
> |
> | [...] Maintenance release v1.6.0.6, v1.5.6.6, v1.5.5.6 and v1.5.4.7
> | are already available at k.org (see the announcement for v1.6.0.6 I
> | sent out a few minutes ago), and the master branch and others pushed
> | out tonight have the same fix. [...]
>
> <http://marc.info/?l=git&m=122975564100860&w=2>

Nerver mind, Novell used CVE-2008-5517 for this.  Here's our bug
summary (the CVE description is somewhat misleading, I think):

| Local users with write access to the configuration of a Git repository
| served by gitweb could cause gitweb to execute arbitrary shell commands
| with the permission of the web server (CVE-2008-5517).

In DSA-1708-1, we use CVE-2008-5516 for these issues:

  http://repo.or.cz/w/git.git?a=commitdiff;h=516381d5
  http://repo.or.cz/w/git.git?a=commitdiff;h=c582abae

These have been fixed silently quite some time ago (in 1.5.6 and
1.5.5, respectively).

(For editorial reasons, the changelog in our DSA contains the previous
CVE assignment.)