Debians sikkerhedsbulletin

DSA-1777-1 git-core -- filrettighedsfejl

Rapporteret den:
21. apr 2009
Berørte pakker:
git-core
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Debians fejlsporingssystem: Fejl 516669.
Yderligere oplysninger:

Peter Palfrader opdagede at i revisionskontrolsystemet Git, på visse arkitekturer, var filer under /usr/share/git-core/templates/ ejet af en ikke-root-bruger. Dette gjorde det muligt for en bruger med denne uid på det lokale system, at skrive til disse filer og muligvis forøge sine rettigheder.

Problemet påvirker kun arkitekturerne DEC Alpha og MIPS (stor og lille endian).

I den gamle stabile distribution (etch), er dette problem rettet i version 1.4.4.4-4+etch2.

I den stabile distribution (lenny), er dette problem rettet i version 1.5.6.5-3+lenny1.

I den ustabile distribution (sid), er dette problem rettet i version 1.6.2.1-1.

Vi anbefaler at du opgraderer din git-core-pakke.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2.dsc
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2.diff.gz
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.4.4.4-4+etch2_all.deb
http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.4.4.4-4+etch2_all.deb
http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.4.4.4-4+etch2_all.deb
http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.4.4.4-4+etch2_all.deb
http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.4.4.4-4+etch2_all.deb
http://security.debian.org/pool/updates/main/g/git-core/gitk_1.4.4.4-4+etch2_all.deb
http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.4.4.4-4+etch2_all.deb
http://security.debian.org/pool/updates/main/g/git-core/git-email_1.4.4.4-4+etch2_all.deb
Alpha:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_sparc.deb

Debian GNU/Linux 5.0 (lenny)

Kildekode:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5.orig.tar.gz
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1.dsc
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1.diff.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.5.6.5-3+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.5.6.5-3+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.5.6.5-3+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.5.6.5-3+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/git-core/gitk_1.5.6.5-3+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.5.6.5-3+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.5.6.5-3+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/git-core/git-email_1.5.6.5-3+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/git-core/git-gui_1.5.6.5-3+lenny1_all.deb
Alpha:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.