CVE-2008-5916
Published: 21 January 2009
gitweb/gitweb.perl in gitweb in Git 1.6.x before 1.6.0.6, 1.5.6.x before 1.5.6.6, 1.5.5.x before 1.5.5.6, 1.5.4.x before 1.5.4.7, and other versions after 1.4.3 allows local repository owners to execute arbitrary commands by modifying the diff.external configuration variable and executing a crafted gitweb query.
Notes
Author | Note |
---|---|
mdeslaur | diff.external variable only available since 1.5.4 http://repo.or.cz/w/git.git?a=commitdiff;h=cbe02100 http://marc.info/?l=linux-kernel&m=122977048914639&w=2 So, doesn't affect dapper and gutsy |
Priority
Status
Package | Release | Status |
---|---|---|
git-core Launchpad, Ubuntu, Debian |
upstream |
Released
(1.6.0.6)
|
dapper |
Not vulnerable
(diff.external code not present)
|
|
gutsy |
Not vulnerable
(diff.external code not present)
|
|
hardy |
Released
(1:1.5.4.3-1ubuntu2.1)
|
|
intrepid |
Released
(1:1.5.6.3-1.1ubuntu2.1)
|
|
Patches: upstream: http://repo.or.cz/w/git.git?a=commit;h=dfff4b7aa42de7e7d58caeebe2c6128449f09b76 |