Debian Security Advisory

DSA-1708-1 git-core -- shell command injection

Date Reported:
19 Jan 2009
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 512330.
In Mitre's CVE dictionary: CVE-2008-5516, CVE-2008-5517, CVE-2008-5916.
More information:

It was discovered that gitweb, the web interface for the Git version control system, contained several vulnerabilities:

Remote attackers could use crafted requests to execute shell commands on the web server, using the snapshot generation and pickaxe search functionality (CVE-2008-5916).

Local users with write access to the configuration of a Git repository served by gitweb could cause gitweb to execute arbitrary shell commands with the permission of the web server (CVE-2008-5516, CVE-2008-5517).

For the stable distribution (etch), these problems have been fixed in version

For the unstable distribution (sid) and testing distribution (lenny), the remote shell command injection issue (CVE-2008-5516) has been fixed in version 1.5.6-1. The other issue will be fixed soon.

We recommend that you upgrade your Git packages.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Architecture-independent component:
HP Precision:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.