Re: CVE request -- git

["Steven M. Christey" <coley () linus mitre org>]

On Wed, 21 Jan 2009, Tomas Hoger wrote:

> On Tue, 20 Jan 2009 20:09:45 -0500 (EST) "Steven M. Christey"
> <coley () linus mitre org> wrote:
>
> > I updated the descriptions for CVE-2008-5516 and CVE-2008-5517 based
> > on Tomas' description.
>
> Looks like they got texts mixed up.  -5516 was given to git_search
> issue, and -5517 to git_snapshot and git_object issues (the idea was
> to use lower id for the issue fixed earlier).  Btw, commitdiff links are
> correct, only texts need swapping.

Fixed.

> Can you also change "in 1.5.x" to "before 1.5.x" in both descriptions?

Done (modulo CVE style).

> Wording in our BZ is probably confusing, but versions 1.5.5 and 1.5.6
> are the first versions to include the fix, not the vulnerability.

Changed 1.5.5 as a non-affected version, but note this:

> > Same question to the rPath maintainers...
>
> Their announcement mentions version 1.5.6.6, that should have both
> issues fixed (and -5916).  They'll probably clarify what was their
> "old" version.

If they're releasing 1.5.6.6, doesn't that suggest that maybe one of the
issues were still present in 1.5.5?

Current descriptions below.

- Steve

======================================================
Name: CVE-2008-5516
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5516
Reference: BUGTRAQ:20090113 rPSA-2009-0005-1 git gitweb
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/500008/100/0/threaded
Reference: MISC:http://repo.or.cz/w/git.git?a=commitdiff;h=c582abae
Reference: MLIST:[oss-security] 20090120 Re: CVE request -- git
Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/20/1
Reference: MLIST:[oss-security] 20090121 Re: CVE request -- git
Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/21/7
Reference: CONFIRM:http://wiki.rpath.com/Advisories:rPSA-2009-0005
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=479715
Reference: CONFIRM:https://issues.rpath.com/browse/RPL-2936
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512330
Reference: DEBIAN:DSA-1708
Reference: URL:http://www.debian.org/security/2009/dsa-1708
Reference: SUSE:SUSE-SR:2009:001
Reference: URL:http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00002.html

The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote
attackers to execute arbitrary commands via shell metacharacters
related to git_search.


======================================================
Name: CVE-2008-5517
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5517
Reference: BUGTRAQ:20090113 rPSA-2009-0005-1 git gitweb
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/500008/100/0/threaded
Reference: MISC:http://repo.or.cz/w/git.git?a=commitdiff;h=516381d5
Reference: MLIST:[oss-security] 20090120 Re: CVE request -- git
Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/20/1
Reference: MLIST:[oss-security] 20090121 Re: CVE request -- git
Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/21/7
Reference: CONFIRM:http://wiki.rpath.com/Advisories:rPSA-2009-0005
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=479715
Reference: CONFIRM:https://issues.rpath.com/browse/RPL-2936
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512330
Reference: DEBIAN:DSA-1708
Reference: URL:http://www.debian.org/security/2009/dsa-1708
Reference: SUSE:SUSE-SR:2009:001
Reference: URL:http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00002.html
Reference: BID:33215
Reference: URL:http://www.securityfocus.com/bid/33215

The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote
attackers to execute arbitrary commands via shell metacharacters
related to (1) git_snapshot and (2) git_object.