FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

git -- gitweb privilege escalation

Affected packages
git < 1.6.0.6

Details

VuXML ID ecad44b9-e663-11dd-afcd-00e0815b8da8
Discovery 2008-12-20
Entry 2009-01-19

Git maintainers report:

gitweb has a possible local privilege escalation bug that allows a malicious repository owner to run a command of his choice by specifying diff.external configuration variable in his repository and running a crafted gitweb query.

References

Bugtraq ID 32967
Message 7vhc4z1gys.fsf@gitster.siamese.dyndns.org
URL http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.6.0.6.txt