CVE-2008-5916 Information

Description

gitweb/gitweb.perl in gitweb in Git 1.6.x before 1.6.0.6 1.5.6.x before 1.5.6.6 1.5.5.x before 1.5.5.6 1.5.4.x before 1.5.4.7 and other versions after 1.4.3 allows local repository owners to execute arbitrary commands by modifying the diff.external configuration variable and executing a crafted gitweb query.

Reference

http://marc.info/?l=git&m=122975564100860&w=2 http://marc.info/?l=linux-kernel&m=122975564100863&w=2: http://osvdb.org/50918 http://secunia.com/advisories/33282 http://secunia.com/advisories/33964 http://secunia.com/advisories/34194 http://securityreason.com/securityalert/4922 http://www.gentoo.org/security/en/glsa/glsa-200903-15.xml http://www.openwall.com/lists/oss-security/2009/01/15/2 http://www.openwall.com/lists/oss-security/2009/01/20/2 http://www.ubuntu.com/usn/USN-723-1 https://exchange.xforce.ibmcloud.com/vulnerabilities/47528 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01169.html https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01170.html