Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1777-1] New git-core packages fix privilege escalation

From Thijs Kinkhorst@1:229/2 to All on Tue Apr 21 12:30:14 2009

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1777-1 [email protected] http://www.debian.org/security/ Thijs Kinkhorst
April 21, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : git-core
Vulnerability : file permission error
Problem type : local
Debian-specific: yes
Debian Bug : 516669

Peter Palfrader discovered that in the Git revision control system,
on some architectures files under /usr/share/git-core/templates/ were
owned by a non-root user. This allows a user with that uid on the local
system to write to these files and possibly escalate their privileges.

This issue only affects the DEC Alpha and MIPS (big and little endian) architectures.

For the old stable distribution (etch), this problem has been fixed in
version 1.4.4.4-4+etch2.

For the stable distribution (lenny), this problem has been fixed in
version 1.5.6.5-3+lenny1.

For the unstable distribution (sid), this problem has been fixed in
version 1.6.2.1-1.

We recommend that you upgrade your git-core package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2.dsc
Size/MD5 checksum: 805 2693d7024a52e175ea62eaff3c07a61a
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2.diff.gz
Size/MD5 checksum: 71107 34ad45133052ce77f2f803554aa9dda1
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4.orig.tar.gz
Size/MD5 checksum: 1054130 99bc7ea441226f792b6f796a838e7ef0

Architecture independent packages:

http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 68960 6ceed58c872080f324ca8a662fefda8c
http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 466672 3a557c1e51a90e0278d5d1a249f5da57
http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 55782 c31f96adaa78b22f0066c936909f75c8
http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 88466 d4f2fe54f9fa94ac65ad23bcd0a262d1
http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 101018 896a41a4a8c301e47e584617ea1c2f4e
http://security.debian.org/pool/updates/main/g/git-core/gitk_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 99756 ac00ea6de16a1aa34539f2381d02722e
http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 94168 8470e1691d1733cb7b172b1ad68bfe6a
http://security.debian.org/pool/updates/main/g/git-core/git-email_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 63252 3bc6980242c54684b97918195cb04420

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_alpha.deb
Size/MD5 checksum: 3088136 abc602dba99ef25f760a355a54e069c6

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_amd64.deb
Size/MD5 checksum: 2642492 0e3cafc333d0afd1c9a4e30766411cfc

arm architecture (ARM)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_arm.deb
Size/MD5 checksum: 2320802 1254025ebc1e95ce11292e38b06798ee

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_hppa.deb
Size/MD5 checksum: 2694116 c866ee375a5d459fc165ae195348023c

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_i386.deb
Size/MD5 checksum: 2353376 38737a48d77b9f5ee8ff5f818b27649e

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_ia64.deb
Size/MD5 checksum: 3815820 c184bf1ea1d53d995b5ff10383660642

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_mips.deb
Size/MD5 checksum: 2784232 abbbd45333878d3a3c1e93bc561135fd

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_mipsel.deb
Size/MD5 checksum: 2801396 824d5a6c8a586ddbe195abdf260d839d

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_powerpc.deb
Size/MD5 checksum: 2639158 1cac055c562efeb9283dd86d5393c1a5

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_s390.deb
Size/MD5 checksum: 2628128 b23f89843f3d8131ac8137e12fc6bed9

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_sparc.deb
Size/MD5 checksum: 2301568 8f7792ade4bbca99ce3bf7677fb14560

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5.orig.tar.gz
Size/MD5 checksum: 2103619 c22da91c913a02305fd8a1a2298f75c9
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1.dsc
Size/MD5 checksum: 1331 d71b5b45cf6267c99294e91f6991a11b
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1.diff.gz
Size/MD5 checksum: 226400 b448283f2944fb6908594ba8f55a5f41

Architecture independent packages:

http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 230864 c7853c3b4d671d79b4a0fb25289236bf

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Krenn
  Sun Jun 7 03:07:26 2026
  from Sydney, Nsw via Telnet
- Krenn
  Sun Jun 7 01:30:12 2026
  from Sydney, Nsw via Telnet
- Centurion
  Sat Jun 6 23:27:30 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet
- Centurion
  Sat Jun 6 15:32:28 2026
  from Berea, Ohio via Telnet
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	159:53:39
Calls:	12,094
Calls today:	2
Files:	15,000
Messages:	6,517,761

[SECURITY] [DSA 1777-1] New git-core packages fix privilege escalation

Who's Online

Recent Visitors

System Info