Package: git-cvs
Version: 1:1.7.10.4-2
Severity: normal
File: /usr/lib/git-core/git-cvsimport
I noticed that when running git-cvsimport it would invoke git
hash-object in a way that causes it to read /tmp/.gitattributes.
Normally this files does not exist, but remember that /tmp is
world-writeable. A user with malintent could create a symbolic link to
/dev/zero and cause git to run a long time. I am not aware of a way to
cause a privilege escalation though. In any case: Don't do that.
The cause is this invocation from git-cvsimport:
exec("git", "hash-object", "-w", $tmpname)
$tmpname refers to a file in /tmp and unless --no-filters is given to
git hash-object it looks for a .gitattributes in the same directory.
Possible options:
1) Use a temporary directory.
2) Pass --no-filters.
Helmut
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
