6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
5.2%
QGit is a graphical interface to git repositories that allows you to browse revisions history, view patch content and changed files.
Raphael Marichez discovered that the DataLoader::doStart() method creates temporary files in an insecure manner and executes them.
A local attacker could perform a symlink attack, possibly overwriting files or executing arbitrary code with the rights of the user running QGit.
There is no known workaround at this time.
All QGit users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/qgit-1.5.7"
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Gentoo | any | all | dev-util/qgit | < 1.5.7 | UNKNOWN |