Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0387 -- [Debian]
git-core: Increased Privileges
22 April 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: git-core
Publisher: Debian
Operating System: Debian GNU/Linux
Impact: Increased Privileges
Access: Existing Account
Original Bulletin: http://www.debian.org/security/2009/dsa-1777
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1777-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
April 21, 2009 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : git-core
Vulnerability : file permission error
Problem type : local
Debian-specific: yes
Debian Bug : 516669
Peter Palfrader discovered that in the Git revision control system,
on some architectures files under /usr/share/git-core/templates/ were
owned by a non-root user. This allows a user with that uid on the local
system to write to these files and possibly escalate their privileges.
This issue only affects the DEC Alpha and MIPS (big and little endian)
architectures.
For the old stable distribution (etch), this problem has been fixed in
version 1.4.4.4-4+etch2.
For the stable distribution (lenny), this problem has been fixed in
version 1.5.6.5-3+lenny1.
For the unstable distribution (sid), this problem has been fixed in
version 1.6.2.1-1.
We recommend that you upgrade your git-core package.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2.dsc
Size/MD5 checksum: 805 2693d7024a52e175ea62eaff3c07a61a
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2.diff.gz
Size/MD5 checksum: 71107 34ad45133052ce77f2f803554aa9dda1
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4.orig.tar.gz
Size/MD5 checksum: 1054130 99bc7ea441226f792b6f796a838e7ef0
Architecture independent packages:
http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 68960 6ceed58c872080f324ca8a662fefda8c
http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 466672 3a557c1e51a90e0278d5d1a249f5da57
http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 55782 c31f96adaa78b22f0066c936909f75c8
http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 88466 d4f2fe54f9fa94ac65ad23bcd0a262d1
http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 101018 896a41a4a8c301e47e584617ea1c2f4e
http://security.debian.org/pool/updates/main/g/git-core/gitk_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 99756 ac00ea6de16a1aa34539f2381d02722e
http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 94168 8470e1691d1733cb7b172b1ad68bfe6a
http://security.debian.org/pool/updates/main/g/git-core/git-email_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 63252 3bc6980242c54684b97918195cb04420
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_alpha.deb
Size/MD5 checksum: 3088136 abc602dba99ef25f760a355a54e069c6
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_amd64.deb
Size/MD5 checksum: 2642492 0e3cafc333d0afd1c9a4e30766411cfc
arm architecture (ARM)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_arm.deb
Size/MD5 checksum: 2320802 1254025ebc1e95ce11292e38b06798ee
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_hppa.deb
Size/MD5 checksum: 2694116 c866ee375a5d459fc165ae195348023c
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_i386.deb
Size/MD5 checksum: 2353376 38737a48d77b9f5ee8ff5f818b27649e
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_ia64.deb
Size/MD5 checksum: 3815820 c184bf1ea1d53d995b5ff10383660642
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_mips.deb
Size/MD5 checksum: 2784232 abbbd45333878d3a3c1e93bc561135fd
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_mipsel.deb
Size/MD5 checksum: 2801396 824d5a6c8a586ddbe195abdf260d839d
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_powerpc.deb
Size/MD5 checksum: 2639158 1cac055c562efeb9283dd86d5393c1a5
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_s390.deb
Size/MD5 checksum: 2628128 b23f89843f3d8131ac8137e12fc6bed9
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_sparc.deb
Size/MD5 checksum: 2301568 8f7792ade4bbca99ce3bf7677fb14560
Debian GNU/Linux 5.0 alias lenny
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5.orig.tar.gz
Size/MD5 checksum: 2103619 c22da91c913a02305fd8a1a2298f75c9
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1.dsc
Size/MD5 checksum: 1331 d71b5b45cf6267c99294e91f6991a11b
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1.diff.gz
Size/MD5 checksum: 226400 b448283f2944fb6908594ba8f55a5f41
Architecture independent packages:
http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 230864 c7853c3b4d671d79b4a0fb25289236bf
http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 267878 fac3a5791789b1fec762ff32ac073a8b
http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 217632 f06add8050805c4e59be0c7bd59c50d2
http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 267052 b9053e17ea5473d642f4307e5dc8a320
http://security.debian.org/pool/updates/main/g/git-core/gitk_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 298458 e0aebaff07db768f83d81ec9fa143847
http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 268096 6d6c2c3e675885f0b958103983fd7446
http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 1076590 9cc1a31a802041e55ab3f7560acbf547
http://security.debian.org/pool/updates/main/g/git-core/git-email_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 229144 f545c11bf21e4e4069a5197da7c2c48f
http://security.debian.org/pool/updates/main/g/git-core/git-gui_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 401374 a1511118ee3c1c379dfb98be35899514
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_alpha.deb
Size/MD5 checksum: 3821086 cfeccb787aa6e4d001ca5042941397cf
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_amd64.deb
Size/MD5 checksum: 3426768 aa6418c7300e3851d13d0cb1549c1fa2
arm architecture (ARM)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_arm.deb
Size/MD5 checksum: 3045298 1156c20c95f6e392531a763617a6b3e7
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_armel.deb
Size/MD5 checksum: 3067946 3d901082ec012f7507240117225fc884
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_hppa.deb
Size/MD5 checksum: 3163726 0ed1cad303007ecb1afa7bda475cbc97
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_i386.deb
Size/MD5 checksum: 3138600 eeb82eadf948b5da722fbe23eeabb86b
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_ia64.deb
Size/MD5 checksum: 4759030 340622fbc09e9e914d666a7ae1092434
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_mips.deb
Size/MD5 checksum: 3419126 1bbb25d016b3d76ae020e9f58a9199c7
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_mipsel.deb
Size/MD5 checksum: 3420520 5ebe827bea6baad8b6860d3ca0ce9925
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_powerpc.deb
Size/MD5 checksum: 3473356 6ffb59e850de883cfaa581f6b7caef19
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_s390.deb
Size/MD5 checksum: 3411104 7d4389b212da668bfe175f7456d47761
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_sparc.deb
Size/MD5 checksum: 3079872 dab8f44b47dc73865c0d83a223801e6e
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJJ7Z5EAAoJECIIoQCMVaAcTOIIAICkdaRQasqMDrX5Qg8TTF0i
fNZZbkVDhbxDQSI4E08VxM40IifRnT7cITffHea2l5SDLQ4t49uSpIErpUjZvbQj
fC3qVAKOikLQKbvqCEoJcIpAxBbbJWQzgoayRCFruWgFz8Vmb2jQqHGgh1yQzHj/
dmef+ToPc6n77LaX7DccpMDzxOMO9L+klMbCOO32JTcihRhacaPQZVnLaTPzMdEn
iZznkW9SKnLP7hipn9jih7XLgyhyzOLA2gHr0DhGgrlsiafqEjx+qohi1GPvJ3so
cvlqIHOJOicsC3A2BE35YY+UWxdh5y/oNCMV3YGStN0mZpoIWWVBdZwLe2znDQw=
=TcYJ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJ7loZNVH5XJJInbgRAu0ZAJ9zAoEpOKiERmvve+srKWrHg5ewWgCcCrdS
AJKPHxeZzSIuBjlUupMK65M=
=9pk8
-----END PGP SIGNATURE-----