oss-sec mailing list archives
Re: CVE request -- git
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 20 Jan 2009 09:02:31 +0100
On Mon, 19 Jan 2009 21:57:03 +0100 Florian Weimer <fw () deneb enyo de> wrote:
Nerver mind, Novell used CVE-2008-5517 for this.
No, they have not. They fixed both -5516 (git_search) and -5517 (git_snapshot and git_object) issues using quote_command() (in their git-1.5.2.4-24.4.src.rpm). No idea why only one of the CVEs was mentioned in the security report... They don't seem to include any patch for diff.external issue, or claim to have fixed it. So -5517 is now really used to refer to two different issues...
(the CVE description is somewhat misleading, I think):
With little further details in SuSE security report, I think the description is quite appropriate - unspecified remote hole related to shell metacharacters. Adding the two repo.or.cz links was most likely a guess, not a good one though. Mitre was notified about this inconsistency in the -5517 description and references. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE request -- git Florian Weimer (Jan 15)
- Re: CVE request -- git Florian Weimer (Jan 19)
- Re: CVE request -- git Tomas Hoger (Jan 20)
- Re: CVE request -- git Sebastian Krahmer (Jan 20)
- Re: CVE request -- git Tomas Hoger (Jan 20)
- Re: CVE request -- git Sebastian Krahmer (Jan 20)
- Re: CVE request -- git Tomas Hoger (Jan 20)
- Re: CVE request -- git Florian Weimer (Jan 19)
- Re: CVE request -- git Tomas Hoger (Jan 21)
- Re: CVE request -- git Steven M. Christey (Jan 22)
- Re: CVE request -- git Tomas Hoger (Jan 23)