Your message dated Sat, 09 Aug 2008 12:47:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#494097: fixed in git-core 1:1.5.6.3-1.1
has caused the Debian Bug report #494097,
regarding git-core: stack-based buffer overflow in git-diff and git-grep
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
494097: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494097
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Source: git-core
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for git-core.
| Some vulnerabilities have been reported in GIT, which can potentially be
| exploited by malicious people to compromise a user's system.
|
| The vulnerabilities are caused due to boundary errors in various functions
when
| processing overly long repository pathnames. These can be exploited to cause
| stack-based buffer overflows by tricking a user into running e.g. "git-diff"
or
| "git-grep" against a repository containing pathnames that are larger than the
| "PATH_MAX" value on the user's system.
|
| Successful exploitation may allow execution of arbitrary code.
In this case there is no CVE id yet. I will add the CVE id to the bug report
when I got it. Please make sure to add it in the changelog when fixing the bug
then.
You can find the upstream patch on:
http://kerneltrap.org/mailarchive/git/2008/7/16/2529284
For further information see:
[0] http://secunia.com/advisories/31347/
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpfdY0Iku7BM.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: git-core
Source-Version: 1:1.5.6.3-1.1
We believe that the bug you reported is fixed in the latest version of
git-core, which is due to be installed in the Debian FTP archive:
git-arch_1.5.6.3-1.1_all.deb
to pool/main/g/git-core/git-arch_1.5.6.3-1.1_all.deb
git-core_1.5.6.3-1.1.diff.gz
to pool/main/g/git-core/git-core_1.5.6.3-1.1.diff.gz
git-core_1.5.6.3-1.1.dsc
to pool/main/g/git-core/git-core_1.5.6.3-1.1.dsc
git-core_1.5.6.3-1.1_amd64.deb
to pool/main/g/git-core/git-core_1.5.6.3-1.1_amd64.deb
git-cvs_1.5.6.3-1.1_all.deb
to pool/main/g/git-core/git-cvs_1.5.6.3-1.1_all.deb
git-daemon-run_1.5.6.3-1.1_all.deb
to pool/main/g/git-core/git-daemon-run_1.5.6.3-1.1_all.deb
git-doc_1.5.6.3-1.1_all.deb
to pool/main/g/git-core/git-doc_1.5.6.3-1.1_all.deb
git-email_1.5.6.3-1.1_all.deb
to pool/main/g/git-core/git-email_1.5.6.3-1.1_all.deb
git-gui_1.5.6.3-1.1_all.deb
to pool/main/g/git-core/git-gui_1.5.6.3-1.1_all.deb
git-svn_1.5.6.3-1.1_all.deb
to pool/main/g/git-core/git-svn_1.5.6.3-1.1_all.deb
gitk_1.5.6.3-1.1_all.deb
to pool/main/g/git-core/gitk_1.5.6.3-1.1_all.deb
gitweb_1.5.6.3-1.1_all.deb
to pool/main/g/git-core/gitweb_1.5.6.3-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated git-core package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 09 Aug 2008 13:53:13 +0200
Source: git-core
Binary: git-core git-doc git-arch git-cvs git-svn git-email git-daemon-run
git-gui gitk gitweb
Architecture: source amd64 all
Version: 1:1.5.6.3-1.1
Distribution: unstable
Urgency: high
Maintainer: Gerrit Pape <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
git-arch - fast, scalable, distributed revision control system (arch interop
git-core - fast, scalable, distributed revision control system
git-cvs - fast, scalable, distributed revision control system (cvs interope
git-daemon-run - fast, scalable, distributed revision control system
(git-daemon s
git-doc - fast, scalable, distributed revision control system (documentatio
git-email - fast, scalable, distributed revision control system (email add-on
git-gui - fast, scalable, distributed revision control system (GUI)
git-svn - fast, scalable, distributed revision control system (svn interope
gitk - fast, scalable, distributed revision control system (revision tre
gitweb - fast, scalable, distributed revision control system (web interfac
Closes: 494097
Changes:
git-core (1:1.5.6.3-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix various stack-based buffer overflows when processing overly long
repository pathnames which can be exploited to execute arbitrary code if
a victim is tricked into using git-grep or git-diff on a crafted
repository (CVE-2008-3546; Closes: #494097).
Checksums-Sha1:
5bf21357394ff99290d35882997db7ec0fe72333 1311 git-core_1.5.6.3-1.1.dsc
cea8fcf39809820801bc36c3b8150a0df850be31 225276 git-core_1.5.6.3-1.1.diff.gz
6208d8e35a30225eab473d3992653cf6e292bb09 3423544 git-core_1.5.6.3-1.1_amd64.deb
e5da8ed714cb9166266b22cd0e999149f3472603 1250098 git-doc_1.5.6.3-1.1_all.deb
430f1d7d6f8f62bf1e4bdd8b0f70aef7335bcea6 228764 git-arch_1.5.6.3-1.1_all.deb
fae8a91914bf56ab00677746326d77d3631b4f5d 265710 git-cvs_1.5.6.3-1.1_all.deb
a1fb0e716f19905ce1bf314cd084b4ea6217e8c1 266380 git-svn_1.5.6.3-1.1_all.deb
228742481dbbe15a03b5925376212340b7b39b28 215878
git-daemon-run_1.5.6.3-1.1_all.deb
7a8b87af607d32374e6ccaac2a746ef6029f171d 227258 git-email_1.5.6.3-1.1_all.deb
daaa828746ad97de007edfe8edaf3892ad2c50ec 398898 git-gui_1.5.6.3-1.1_all.deb
fe5c3dddf8f4c246cdf116c834a3dec0897bac63 296854 gitk_1.5.6.3-1.1_all.deb
06728de0b65aee67d31b137b6869268b963409df 265802 gitweb_1.5.6.3-1.1_all.deb
Checksums-Sha256:
c35102bc2a89126601cc022257504e55cfb0529b27ef7d1e0eba211ec99cb158 1311
git-core_1.5.6.3-1.1.dsc
291e6fa8798b0def7e85da9e90cbe6e1bab470a23209fb16d4d6e78d29823aa1 225276
git-core_1.5.6.3-1.1.diff.gz
e282663a50f9eb9b68de300d029b1108c32c2b6b1012f9050518bee3c7fc6fd2 3423544
git-core_1.5.6.3-1.1_amd64.deb
4078067a4c2724ad871cfee41644d5ff583b55a8308dad63be101f1c53896ccc 1250098
git-doc_1.5.6.3-1.1_all.deb
1a8a7386ccbf0ec816ce776b25cd3acdc6d66bc713858f48630d1ab9afeae29d 228764
git-arch_1.5.6.3-1.1_all.deb
5ec6708969d2d27e370a439c1029dd017a0fab8a152abad8dbc84fd018596218 265710
git-cvs_1.5.6.3-1.1_all.deb
a9000736f633ddd4a88a51a76c81af1e8a1ed47a3f0d5379cc39007583f047c1 266380
git-svn_1.5.6.3-1.1_all.deb
c86ebc933cc3e6e124d27d1b0bf3f13e20050232967703886067ddef3146780f 215878
git-daemon-run_1.5.6.3-1.1_all.deb
420d55d8c7df40c64e20e767af9a43dd3dc1c6e0fc42d1c32186895eef78c6b3 227258
git-email_1.5.6.3-1.1_all.deb
2915b678761b468370002861dc30ea7b17bb464d6e40a7ce5a9e10b216f02c50 398898
git-gui_1.5.6.3-1.1_all.deb
29d25d3380e3633d267c5c3b6334b7a8d9d269faa0ddea506633f2116e9534a8 296854
gitk_1.5.6.3-1.1_all.deb
208276e7990c0b60242253ece5d59f4d94a3bd6c0c22006c1725b4234132f803 265802
gitweb_1.5.6.3-1.1_all.deb
Files:
9eb49c344f779bc8e1e33186849853f2 1311 devel optional git-core_1.5.6.3-1.1.dsc
1ef2b701e1b65edd4a2fa7bf53341ea6 225276 devel optional
git-core_1.5.6.3-1.1.diff.gz
9d874a7c1865731e5a6d0665274c5e55 3423544 devel optional
git-core_1.5.6.3-1.1_amd64.deb
33ce966bfa08da14890acbda47f8922d 1250098 doc optional
git-doc_1.5.6.3-1.1_all.deb
1c60d805f3c2711189c3f56123870214 228764 devel optional
git-arch_1.5.6.3-1.1_all.deb
bede421eec0bbe217e758f46d2fea007 265710 devel optional
git-cvs_1.5.6.3-1.1_all.deb
7201688609336c2cb465094f4557e679 266380 devel optional
git-svn_1.5.6.3-1.1_all.deb
d2bab0b89519dd72bb9bd25fefd7bce5 215878 devel optional
git-daemon-run_1.5.6.3-1.1_all.deb
5e040b35fc540e7830cdd6aaf2b8fc87 227258 devel optional
git-email_1.5.6.3-1.1_all.deb
96c04df400dce2c3b2dfe5f56afa5ba2 398898 devel optional
git-gui_1.5.6.3-1.1_all.deb
3d1ba9da3ab0ce0d0c25142b9017b5ab 296854 devel optional gitk_1.5.6.3-1.1_all.deb
999e6b424240074f040810265bf9bca2 265802 devel optional
gitweb_1.5.6.3-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkidjyMACgkQHYflSXNkfP8EdQCdHP1Y+e2QVzo7E28FKtSlzEeT
3JgAniVDuA2S9JOFtxwd/nNEUUunoteh
=sI5w
-----END PGP SIGNATURE-----
--- End Message ---
