Pardus: Git Privilege Escalation
Posted by Bill Keys   
A security issue has been reported in GIT, which can be exploited by malicious, local users to gain escalated privileges.

------------------------------------------------------------------------
Pardus Linux Security Advisory 2008-88            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2008-12-23
  Severity: 2
      Type: Local
------------------------------------------------------------------------

Summary
=======

A security issue has been reported in GIT, which can  be  exploited  by
malicious, local users to gain escalated privileges.


Description
===========

The  security issue  is  caused  due  to  the  "gitweb"  implementation
improperly verifying repository configuration variables.  This  can  be
exploited to execute arbitrary commands  with  the  privileges  of  the
"gitweb" user via a  specially  crafted  "diff.external"  configuration
variable.



Affected packages:

  Pardus 2008:
    git, all before 1.6.0.6-74-11
    git-emacs, all before 1.6.0.6-74-11

    gitweb, all before 1.6.0.6-74-11



Resolution
==========

There are update(s) for git, git-emacs, gitweb. You can update them via
Package Manager or with a single command from console:

    pisi up git git-emacs gitweb

References
==========

  * http://article.gmane.org/gmane.comp.version-control.git/103
  * http://secunia.com/Advisories/33270/

------------------------------------------------------------------------

-- Pardus Security Team http://security.pardus.org.tr _______________________________________________ Pardus-security mailing list Pardus-security@pardus.org.tr http://liste.pardus.org.tr/mailman/listinfo/pardus-security