Package: git-daemon-sysvinit Version: 1:1.7.9.1-1 Severity: important Tags: security patch
Hi, Jonathan McCrohan writes: > The restart case of the git-daemon init script blindly enables the daemon > regardless of the value of GIT_DAEMON_ENABLE. > > This allows administrators to inadvertently enable world access to > repositories, possibly before they have set the appropriate repository > permissions. > > Thankfully, this package was introduced after squeeze was released. This > vulnerability only affects wheezy, sid, and squeeze-backports. > > Please see patch below which fixes this issue. -- >8 -- From: Jonathan McCrohan <[email protected]> Date: Sun, 11 Mar 2012 21:07:28 +0000 Subject: [PATCH] Fix git-daemon-sysvinit security vulnerability The restart case of the git-daemon init script blindly enables the daemon regardless of the value of GIT_DAEMON_ENABLE. Signed-off-by: Jonathan McCrohan <[email protected]> --- debian/git-daemon.init | 18 +++--------------- 1 files changed, 3 insertions(+), 15 deletions(-) diff --git a/debian/git-daemon.init b/debian/git-daemon.init index 0e97c43..619daa7 100644 --- a/debian/git-daemon.init +++ b/debian/git-daemon.init @@ -102,21 +102,9 @@ case "$1" in ;; restart|force-reload) log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac + $0 stop + $0 start + log_end_msg $? ;; *) echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 -- 1.7.9 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

