exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Secunia Security Advisory 34794

Secunia Security Advisory 34794
Posted Apr 23, 2009
Authored by Secunia | Site secunia.com

Secunia Security Advisory - Debian has acknowledged a security issue in git-core, which can be exploited by malicious, local users manipulate certain data and to potentially gain escalated privileges.

tags | advisory, local
systems | linux, debian
SHA-256 | 106fa1dae6a87f6afbe12bcd82bb657ce4b286f1576cf45c60e7b00279d5f7c1
Download | Favorite | View

Secunia Security Advisory 34794

Change Mirror Download
----------------------------------------------------------------------

Secunia is pleased to announce the release of the annual Secunia
report for 2008.

Highlights from the 2008 report:
 * Vulnerability Research
 * Software Inspection Results
 * Secunia Research Highlights
 * Secunia Advisory Statistics

Request the full 2008 Report here:
http://secunia.com/advisories/try_vi/request_2008_report/

Stay Secure,

Secunia


----------------------------------------------------------------------

TITLE:
Debian git-core Insecure File Ownership Security Issue

SECUNIA ADVISORY ID:
SA34794

VERIFY ADVISORY:
http://secunia.com/advisories/34794/

DESCRIPTION:
Debian has acknowledged a security issue in git-core, which can be
exploited by malicious, local users manipulate certain data and to
potentially gain escalated privileges.

The security issue is caused due to certain files in the 
"/usr/share/git-core/templates/" folder being owned by a non-root
user, which can be exploited to e.g. modify the files.

Successful exploitation requires a DEC Alpha and MIPS (big and little
endian) system and that the attacker has the same user id as the
affected files.

SOLUTION:
Apply updated packages.

-- Debian GNU/Linux 4.0 alias etch --

Source archives:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2.dsc
Size/MD5 checksum: 805 2693d7024a52e175ea62eaff3c07a61a
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2.diff.gz
Size/MD5 checksum: 71107 34ad45133052ce77f2f803554aa9dda1
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4.orig.tar.gz
Size/MD5 checksum: 1054130 99bc7ea441226f792b6f796a838e7ef0

Architecture independent packages:

http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 68960 6ceed58c872080f324ca8a662fefda8c
http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 466672 3a557c1e51a90e0278d5d1a249f5da57
http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 55782 c31f96adaa78b22f0066c936909f75c8
http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 88466 d4f2fe54f9fa94ac65ad23bcd0a262d1
http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 101018 896a41a4a8c301e47e584617ea1c2f4e
http://security.debian.org/pool/updates/main/g/git-core/gitk_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 99756 ac00ea6de16a1aa34539f2381d02722e
http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 94168 8470e1691d1733cb7b172b1ad68bfe6a
http://security.debian.org/pool/updates/main/g/git-core/git-email_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum: 63252 3bc6980242c54684b97918195cb04420

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_alpha.deb
Size/MD5 checksum: 3088136 abc602dba99ef25f760a355a54e069c6

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_amd64.deb
Size/MD5 checksum: 2642492 0e3cafc333d0afd1c9a4e30766411cfc

arm architecture (ARM)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_arm.deb
Size/MD5 checksum: 2320802 1254025ebc1e95ce11292e38b06798ee

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_hppa.deb
Size/MD5 checksum: 2694116 c866ee375a5d459fc165ae195348023c

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_i386.deb
Size/MD5 checksum: 2353376 38737a48d77b9f5ee8ff5f818b27649e

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_ia64.deb
Size/MD5 checksum: 3815820 c184bf1ea1d53d995b5ff10383660642

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_mips.deb
Size/MD5 checksum: 2784232 abbbd45333878d3a3c1e93bc561135fd

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_mipsel.deb
Size/MD5 checksum: 2801396 824d5a6c8a586ddbe195abdf260d839d

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_powerpc.deb
Size/MD5 checksum: 2639158 1cac055c562efeb9283dd86d5393c1a5

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_s390.deb
Size/MD5 checksum: 2628128 b23f89843f3d8131ac8137e12fc6bed9

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_sparc.deb
Size/MD5 checksum: 2301568 8f7792ade4bbca99ce3bf7677fb14560

-- Debian GNU/Linux 5.0 alias lenny --

Source archives:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5.orig.tar.gz
Size/MD5 checksum: 2103619 c22da91c913a02305fd8a1a2298f75c9
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1.dsc
Size/MD5 checksum: 1331 d71b5b45cf6267c99294e91f6991a11b
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1.diff.gz
Size/MD5 checksum: 226400 b448283f2944fb6908594ba8f55a5f41

Architecture independent packages:

http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 230864 c7853c3b4d671d79b4a0fb25289236bf
http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 267878 fac3a5791789b1fec762ff32ac073a8b
http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 217632 f06add8050805c4e59be0c7bd59c50d2
http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 267052 b9053e17ea5473d642f4307e5dc8a320
http://security.debian.org/pool/updates/main/g/git-core/gitk_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 298458 e0aebaff07db768f83d81ec9fa143847
http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 268096 6d6c2c3e675885f0b958103983fd7446
http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 1076590 9cc1a31a802041e55ab3f7560acbf547
http://security.debian.org/pool/updates/main/g/git-core/git-email_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 229144 f545c11bf21e4e4069a5197da7c2c48f
http://security.debian.org/pool/updates/main/g/git-core/git-gui_1.5.6.5-3+lenny1_all.deb
Size/MD5 checksum: 401374 a1511118ee3c1c379dfb98be35899514

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_alpha.deb
Size/MD5 checksum: 3821086 cfeccb787aa6e4d001ca5042941397cf

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_amd64.deb
Size/MD5 checksum: 3426768 aa6418c7300e3851d13d0cb1549c1fa2

arm architecture (ARM)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_arm.deb
Size/MD5 checksum: 3045298 1156c20c95f6e392531a763617a6b3e7

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_armel.deb
Size/MD5 checksum: 3067946 3d901082ec012f7507240117225fc884

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_hppa.deb
Size/MD5 checksum: 3163726 0ed1cad303007ecb1afa7bda475cbc97

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_i386.deb
Size/MD5 checksum: 3138600 eeb82eadf948b5da722fbe23eeabb86b

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_ia64.deb
Size/MD5 checksum: 4759030 340622fbc09e9e914d666a7ae1092434

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_mips.deb
Size/MD5 checksum: 3419126 1bbb25d016b3d76ae020e9f58a9199c7

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_mipsel.deb
Size/MD5 checksum: 3420520 5ebe827bea6baad8b6860d3ca0ce9925

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_powerpc.deb
Size/MD5 checksum: 3473356 6ffb59e850de883cfaa581f6b7caef19

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_s390.deb
Size/MD5 checksum: 3411104 7d4389b212da668bfe175f7456d47761

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny1_sparc.deb
Size/MD5 checksum: 3079872 dab8f44b47dc73865c0d83a223801e6e

-- Debian GNU/Linux unstable alias sid --

Fixed in version 1.6.2.1-1.

PROVIDED AND/OR DISCOVERED BY:
Peter Palfrader

ORIGINAL ADVISORY:
DSA-1777-1:
http://lists.debian.org/debian-security-announce/2009/msg00087.html

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    23 Files
  • 25
    Apr 25th
    16 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close