Candidate: CVE-2008-5916
PublicDate: 2009-01-21 02:30:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5916
 http://repo.or.cz/w/git.git?a=blob_plain;f=Documentation/RelNotes-1.6.0.6.txt;hb=718258e256b74622aa55f5ee0cb9cff4cce6bf9f
 https://ubuntu.com/security/notices/USN-723-1
Description:
 gitweb/gitweb.perl in gitweb in Git 1.6.x before 1.6.0.6, 1.5.6.x before
 1.5.6.6, 1.5.5.x before 1.5.5.6, 1.5.4.x before 1.5.4.7, and other versions
 after 1.4.3 allows local repository owners to execute arbitrary commands by
 modifying the diff.external configuration variable and executing a crafted
 gitweb query.
Ubuntu-Description:
Notes:
 mdeslaur> diff.external variable only available since 1.5.4
 mdeslaur> http://repo.or.cz/w/git.git?a=commitdiff;h=cbe02100
 mdeslaur> http://marc.info/?l=linux-kernel&m=122977048914639&w=2
 mdeslaur> So, doesn't affect dapper and gutsy
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_git-core:
 upstream: http://repo.or.cz/w/git.git?a=commit;h=dfff4b7aa42de7e7d58caeebe2c6128449f09b76
upstream_git-core: released (1.6.0.6)
dapper_git-core: not-affected (diff.external code not present)
gutsy_git-core: not-affected (diff.external code not present)
hardy_git-core: released (1:1.5.4.3-1ubuntu2.1)
intrepid_git-core: released (1:1.5.6.3-1.1ubuntu2.1)
devel_git-core: released (1:1.6.0.4-1ubuntu2)