Hi security team, Greg Brockman wrote at <http://bugs.debian.org/590026>:
> A fix for an exploitable buffer overrun (CVE-2010-2542, per [1]) was > committed to git in [2]. In particular, if an attacker were to create > a crafted working copy where the user runs any git command, the > attacker could force execution of arbitrary code. > > This attack should be mitigated to a denial of service if git is > compiled with appropriate stack-protecting flags. > > This buffer overrun was introduced in [3], which first appeared in > v1.5.6, and is fixed in v1.7.2. > > Greg > > [1] http://seclists.org/oss-sec/2010/q3/93 > [2] > http://git.kernel.org/?p=git/git.git;a=commit;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc > [3] > http://git.kernel.org/?p=git/git.git;a=commit;h=b44ebb19e3234c5dffe9869ceac5408bb44c2e20 More precisely, the problem is a buffer overrun when encountering a file .git with the content gitdir: (something really long) When git checks the target of the .git file’s reference, it stores the filename on the stack in a buffer of size PATH_MAX. (By contrast, the environment variable GIT_DIR=(something really long) is protected against already.) This can be used for privilege escalation when a privileged user runs a git command that checks for a repository (like ‘git ls-remote’) in /tmp and outside of any git repository, for example. You can check it with valgrind. debdiff follows. Thoughts? Jonathan diff -u git-core-1.5.6.5/debian/changelog git-core-1.5.6.5/debian/changelog --- git-core-1.5.6.5/debian/changelog +++ git-core-1.5.6.5/debian/changelog @@ -1,3 +1,11 @@ +git-core (1:1.5.6.5-3+lenny4) stable-security; urgency=high + + * debian/diff/0009-Check-size-of-path-buffer-before-writing-...diff: + new, cherry-picked from 3c9d041: setup: Check size of path buffer + before writing into it (closes: #590026, CVE-2010-2542). + + -- Jonathan Nieder <jrnie...@gmail.com> Thu, 22 Jul 2010 20:07:36 -0500 + git-core (1:1.5.6.5-3+lenny3) stable-security; urgency=high * debian/diff/0008-git-cvsserver-allow-regex-metacharacters-...diff: only in patch2: unchanged: --- git-core-1.5.6.5.orig/debian/diff/0009-Check-size-of-path-buffer-before-writing-into-it.patch +++ git-core-1.5.6.5/debian/diff/0009-Check-size-of-path-buffer-before-writing-into-it.patch @@ -0,0 +1,33 @@ +From 7d4837bfd735616b162e347790f3bfc3f2f69f44 Mon Sep 17 00:00:00 2001 +From: Greg Brockman <g...@mit.edu> +Date: Tue, 20 Jul 2010 00:46:21 -0400 +Subject: [PATCH] Check size of path buffer before writing into it + +This prevents a buffer overrun that could otherwise be triggered by +creating a file called '.git' with contents + + gitdir: (something really long) + +Signed-off-by: Greg Brockman <g...@mit.edu> +Signed-off-by: Junio C Hamano <gits...@pobox.com> +(cherry picked from commit 3c9d0414ed2db0167e6c828b547be8fc9f88fccc) +--- + setup.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/setup.c b/setup.c +index 3b111ea..00558bb 100644 +--- a/setup.c ++++ b/setup.c +@@ -228,6 +228,8 @@ static int is_git_directory(const char *suspect) + char path[PATH_MAX]; + size_t len = strlen(suspect); + ++ if (PATH_MAX <= len + strlen("/objects")) ++ die("Too long path: %.*s", 60, suspect); + strcpy(path, suspect); + if (getenv(DB_ENVIRONMENT)) { + if (access(getenv(DB_ENVIRONMENT), X_OK)) +-- +1.7.2.rc3 + -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
