Package: git-daemon-sysvinit
Version: 1:1.7.9.1-1
Severity: important
Tags: security patch

Hi,

Jonathan McCrohan writes:

> The restart case of the git-daemon init script blindly enables the daemon
> regardless of the value of GIT_DAEMON_ENABLE.
>
> This allows administrators to inadvertently enable world access to
> repositories, possibly before they have set the appropriate repository
> permissions.
>
> Thankfully, this package was introduced after squeeze was released. This
> vulnerability only affects wheezy, sid, and squeeze-backports.
>
> Please see patch below which fixes this issue.

-- >8 --
From: Jonathan McCrohan <[email protected]>
Date: Sun, 11 Mar 2012 21:07:28 +0000
Subject: [PATCH] Fix git-daemon-sysvinit security vulnerability

The restart case of the git-daemon init script blindly enables the daemon
regardless of the value of GIT_DAEMON_ENABLE.

Signed-off-by: Jonathan McCrohan <[email protected]>
---
 debian/git-daemon.init |   18 +++---------------
 1 files changed, 3 insertions(+), 15 deletions(-)

diff --git a/debian/git-daemon.init b/debian/git-daemon.init
index 0e97c43..619daa7 100644
--- a/debian/git-daemon.init
+++ b/debian/git-daemon.init
@@ -102,21 +102,9 @@ case "$1" in
        ;;
   restart|force-reload)
        log_daemon_msg "Restarting $DESC" "$NAME"
-       do_stop
-       case "$?" in
-         0|1)
-               do_start
-               case "$?" in
-                       0) log_end_msg 0 ;;
-                       1) log_end_msg 1 ;; # Old process is still running
-                       *) log_end_msg 1 ;; # Failed to start
-               esac
-               ;;
-         *)
-               # Failed to stop
-               log_end_msg 1
-               ;;
-       esac
+       $0 stop
+       $0 start
+       log_end_msg $?
        ;;
   *)
        echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
-- 
1.7.9




-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to