A flaw was found in the gitolite ADC (Admin Defined Commands) system [1]. If the ADC feature were enabled, a remote user could connect to gitolite and execute arbitrary commands by specifying a command such as "../../../../usr/bin/foo" because gitolite did not filter command names. This has been corrected upstream [2] in version 1.5.9.1 and gitolite will now refuse to execute any commands with ".." in the supplied command name. Note that ADC is only enabled when GL_ADC_PATH is set in the rc file (it is not enabled or set by default) and both the documentation and example rc file note that there are security risks involved with using ADC. [1] http://groups.google.com/group/gitolite/browse_thread/thread/797a93ec26e1dcbc?pli=1 [2] https://github.com/sitaramc/gitolite/commit/4ce00aef84d1ff7c35f7adbbb99a6241cfda00cc
Created gitolite tracking bugs for this issue Affects: fedora-all [bug 695569] Affects: epel-6 [bug 695570]
This was fixed long ago in: gitolite-1.5.3-2.fc14 gitolite-1.5.7-2.1.el6