Bug#494097: marked as done (git-core: stack-based buffer overflow in git-diff and git-grep)

Wed, 13 Aug 2008 04:24:37 -0700 

Your message dated Wed, 13 Aug 2008 11:02:11 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#494097: fixed in git-core 1:1.5.6.3-1+lenny2
has caused the Debian Bug report #494097,
regarding git-core: stack-based buffer overflow in git-diff and git-grep
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
494097: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494097
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Source: git-core
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for git-core.

| Some vulnerabilities have been reported in GIT, which can potentially be
| exploited by malicious people to compromise a user's system.
| 
| The vulnerabilities are caused due to boundary errors in various functions 
when
| processing overly long repository pathnames. These can be exploited to cause
| stack-based buffer overflows by tricking a user into running e.g. "git-diff" 
or
| "git-grep" against a repository containing pathnames that are larger than the
| "PATH_MAX" value on the user's system.
| 
| Successful exploitation may allow execution of arbitrary code.

In this case there is no CVE id yet. I will add the CVE id to the bug report
when I got it.  Please make sure to add it in the changelog when fixing the bug
then.

You can find the upstream patch on:
http://kerneltrap.org/mailarchive/git/2008/7/16/2529284

For further information see:

[0] http://secunia.com/advisories/31347/

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpUO2rhkv8Oa.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: git-core
Source-Version: 1:1.5.6.3-1+lenny2

We believe that the bug you reported is fixed in the latest version of
git-core, which is due to be installed in the Debian FTP archive:

git-arch_1.5.6.3-1+lenny2_all.deb
  to pool/main/g/git-core/git-arch_1.5.6.3-1+lenny2_all.deb
git-core_1.5.6.3-1+lenny2.diff.gz
  to pool/main/g/git-core/git-core_1.5.6.3-1+lenny2.diff.gz
git-core_1.5.6.3-1+lenny2.dsc
  to pool/main/g/git-core/git-core_1.5.6.3-1+lenny2.dsc
git-core_1.5.6.3-1+lenny2_amd64.deb
  to pool/main/g/git-core/git-core_1.5.6.3-1+lenny2_amd64.deb
git-cvs_1.5.6.3-1+lenny2_all.deb
  to pool/main/g/git-core/git-cvs_1.5.6.3-1+lenny2_all.deb
git-daemon-run_1.5.6.3-1+lenny2_all.deb
  to pool/main/g/git-core/git-daemon-run_1.5.6.3-1+lenny2_all.deb
git-doc_1.5.6.3-1+lenny2_all.deb
  to pool/main/g/git-core/git-doc_1.5.6.3-1+lenny2_all.deb
git-email_1.5.6.3-1+lenny2_all.deb
  to pool/main/g/git-core/git-email_1.5.6.3-1+lenny2_all.deb
git-gui_1.5.6.3-1+lenny2_all.deb
  to pool/main/g/git-core/git-gui_1.5.6.3-1+lenny2_all.deb
git-svn_1.5.6.3-1+lenny2_all.deb
  to pool/main/g/git-core/git-svn_1.5.6.3-1+lenny2_all.deb
gitk_1.5.6.3-1+lenny2_all.deb
  to pool/main/g/git-core/gitk_1.5.6.3-1+lenny2_all.deb
gitweb_1.5.6.3-1+lenny2_all.deb
  to pool/main/g/git-core/gitweb_1.5.6.3-1+lenny2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated git-core package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 13 Aug 2008 12:12:03 +0200
Source: git-core
Binary: git-core git-doc git-arch git-cvs git-svn git-email git-daemon-run 
git-gui gitk gitweb
Architecture: source amd64 all
Version: 1:1.5.6.3-1+lenny2
Distribution: testing-security
Urgency: high
Maintainer: Gerrit Pape <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description: 
 git-arch   - fast, scalable, distributed revision control system (arch interop
 git-core   - fast, scalable, distributed revision control system
 git-cvs    - fast, scalable, distributed revision control system (cvs interope
 git-daemon-run - fast, scalable, distributed revision control system 
(git-daemon s
 git-doc    - fast, scalable, distributed revision control system (documentatio
 git-email  - fast, scalable, distributed revision control system (email add-on
 git-gui    - fast, scalable, distributed revision control system (GUI)
 git-svn    - fast, scalable, distributed revision control system (svn interope
 gitk       - fast, scalable, distributed revision control system (revision tre
 gitweb     - fast, scalable, distributed revision control system (web interfac
Closes: 494097
Changes: 
 git-core (1:1.5.6.3-1+lenny2) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Update 0005-bug-494097-CVE-2008-3546.diff to fix incomplete patch
     which didn't include fixes for attr.c and builtin-grep.c
     (CVE-2008-3546; Closes: #494097).
Checksums-Sha1: 
 c27c0d82e2ef69d2ce1588bbb44acc8d0731beaf 1331 git-core_1.5.6.3-1+lenny2.dsc
 ef8cdb5a04aa92c717d3cfc6c506a67a8d1ee611 225885 
git-core_1.5.6.3-1+lenny2.diff.gz
 47cdaf0d1d92696883465cb15eeef13b161b8d77 3420918 
git-core_1.5.6.3-1+lenny2_amd64.deb
 6a2f16eca7b1e794ac4cdec38e45c953f79bd475 1242924 
git-doc_1.5.6.3-1+lenny2_all.deb
 b7572c391022d747235f8266a9305016960e2515 228796 
git-arch_1.5.6.3-1+lenny2_all.deb
 7fb9c679129738ad005af63b6315ee9929bb6a12 265668 
git-cvs_1.5.6.3-1+lenny2_all.deb
 279bfd1f4c37d46388d7c4f80908721df81ee0c2 266438 
git-svn_1.5.6.3-1+lenny2_all.deb
 ff3b64a582494635d067845c93e657e7d214675d 215974 
git-daemon-run_1.5.6.3-1+lenny2_all.deb
 c0c2ea0a7473e8743323394d72fa2c8e3b359ba5 227316 
git-email_1.5.6.3-1+lenny2_all.deb
 7139728f8f716e1e4d59aa39c613464274338758 400714 
git-gui_1.5.6.3-1+lenny2_all.deb
 36ad641fe57d1be48175cd5b5a3000afc5ceb3e7 296900 gitk_1.5.6.3-1+lenny2_all.deb
 acb1c6f3dcfb7be057fe4f310a6755687ec43bcc 267652 gitweb_1.5.6.3-1+lenny2_all.deb
Checksums-Sha256: 
 973c2063452df59fab9bb80a4a5d71ee0d3da7b3a5a1a8bb96b4344588d92fd4 1331 
git-core_1.5.6.3-1+lenny2.dsc
 41d37069074347cd2b512a6e64061848d787b08a0605fab9f64156ef7d5a0840 225885 
git-core_1.5.6.3-1+lenny2.diff.gz
 17d6d3243a6e47ddbda65b7c9f76156f01a4135e9f9cda88c368995ddd7b244a 3420918 
git-core_1.5.6.3-1+lenny2_amd64.deb
 6ea248a2f8af9656938cb2e1013b62709217be9456b6754ba9e10c6f4c9a81ee 1242924 
git-doc_1.5.6.3-1+lenny2_all.deb
 45e324f22b63a5bf78bcbd9b6792348c676a81c8dcbdb87d9241fb3a3be371c6 228796 
git-arch_1.5.6.3-1+lenny2_all.deb
 e61405987a60be57376820a98da8a95514cdb320a6ebb2f79728d577451ea1b0 265668 
git-cvs_1.5.6.3-1+lenny2_all.deb
 342b62396a9328cd477faeddc52d84871839d805c1b4c865a0b6712b98cbd18c 266438 
git-svn_1.5.6.3-1+lenny2_all.deb
 6feffcd911c9a4ace079282f59115d391c075bd7a4d35f8fb7a85e6c506a9afa 215974 
git-daemon-run_1.5.6.3-1+lenny2_all.deb
 0ea2379184a021489bc281a3d11540c58c0f2ee5d5ab3f98b121dfda7deb7fc1 227316 
git-email_1.5.6.3-1+lenny2_all.deb
 d00681d2c0747b0e32275353f4c7d10c515b84c33e0be932366ffdaa466b0feb 400714 
git-gui_1.5.6.3-1+lenny2_all.deb
 0c4f85392f61eb61c411110a494718ab583df4a71d79262f476399e68dd042bf 296900 
gitk_1.5.6.3-1+lenny2_all.deb
 111a99bb0a95e60e175aff3eb9f565afa6278b71f9ee78f3b1a73e576e1d6c09 267652 
gitweb_1.5.6.3-1+lenny2_all.deb
Files: 
 ab74d7f13a6722629d196ca7e3062482 1331 devel optional 
git-core_1.5.6.3-1+lenny2.dsc
 bcaa0da9ec6a2cc201b3a09a548701e6 225885 devel optional 
git-core_1.5.6.3-1+lenny2.diff.gz
 49981b78798f1495f548316647978074 3420918 devel optional 
git-core_1.5.6.3-1+lenny2_amd64.deb
 6029ae8bbe07533b7dfddcd1dd3d8998 1242924 doc optional 
git-doc_1.5.6.3-1+lenny2_all.deb
 25b147d5fe08333a8ace07e0abb9ac14 228796 devel optional 
git-arch_1.5.6.3-1+lenny2_all.deb
 e73c03d59b8548d25ababd1002807b67 265668 devel optional 
git-cvs_1.5.6.3-1+lenny2_all.deb
 0fee3fcbcf05fafa5e12bd59b2c92bb8 266438 devel optional 
git-svn_1.5.6.3-1+lenny2_all.deb
 942426ccee7ed875252212b464c4c866 215974 devel optional 
git-daemon-run_1.5.6.3-1+lenny2_all.deb
 5f6472c919382e970481032a14f4ddc5 227316 devel optional 
git-email_1.5.6.3-1+lenny2_all.deb
 e92336cec33595f9d4c8fcc1386db295 400714 devel optional 
git-gui_1.5.6.3-1+lenny2_all.deb
 1770bcf149d68ff2116387d1fe253164 296900 devel optional 
gitk_1.5.6.3-1+lenny2_all.deb
 0268a63f8e06f8726d66f43245658697 267652 devel optional 
gitweb_1.5.6.3-1+lenny2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiiuqwACgkQHYflSXNkfP9XQwCcDKyr8YUd92DoMysozWnD9fj+
ThwAnRjh+1yzRSevG5zFf2icg7vcKnuc
=DjzC
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to