ports/130600: [vuxml] devel/git: document privilege escalation in gitweb

Eygene Ryabinkin rea-fbsd at codelabs.ru
Fri Jan 16 05:30:03 UTC 2009

>Number:         130600
>Category:       ports
>Synopsis:       [vuxml] devel/git: document privilege escalation in gitweb
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 16 05:30:00 UTC 2009
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-STABLE amd64
Code Labs

System: FreeBSD 7.1-STABLE amd64


Gitweb privilege escalation that allows malicious repository owner
to run arbitrary commands with Web-server credentials was discovered
in git versions prior to,, and [1].

[1] http://marc.info/?l=git&m=122975564100860&w=2


Look at the above mailing list message and the patches it contains.


The port was already updated at 2008-12-22, so we're safe here.

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="e8a285bf-e38b-11dd-8bb6-0022156e8794">
    <topic>git -- gitweb privilege escalation</topic>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Git maintainers report:</p>
          <p>Current gitweb has a possible local privilege escalation
          bug that allows a malicious repository owner to run a command
          of his choice by specifying diff.external configuration
          variable in his repository and running a crafted gitweb
      <mlist msgid="7vhc4z1gys.fsf at gitster.siamese.dyndns.org">http://marc.info/?l=git&m=122975564100860&w=2</mlist>
--- vuln.xml ends here ---

More information about the freebsd-ports-bugs mailing list