Bug#494097: marked as done (git-core: stack-based buffer overflow in git-diff and git-grep)

[Debian Bug Tracking System]

Your message dated Mon, 25 Aug 2008 13:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#494097: fixed in git-core 1:1.6.0-1
has caused the Debian Bug report #494097,
regarding git-core: stack-based buffer overflow in git-diff and git-grep
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
494097: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494097
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Source: git-core
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for git-core.

| Some vulnerabilities have been reported in GIT, which can potentially be
| exploited by malicious people to compromise a user's system.
| 
| The vulnerabilities are caused due to boundary errors in various functions 
when
| processing overly long repository pathnames. These can be exploited to cause
| stack-based buffer overflows by tricking a user into running e.g. "git-diff" 
or
| "git-grep" against a repository containing pathnames that are larger than the
| "PATH_MAX" value on the user's system.
| 
| Successful exploitation may allow execution of arbitrary code.

In this case there is no CVE id yet. I will add the CVE id to the bug report
when I got it.  Please make sure to add it in the changelog when fixing the bug
then.

You can find the upstream patch on:
http://kerneltrap.org/mailarchive/git/2008/7/16/2529284

For further information see:

[0] http://secunia.com/advisories/31347/

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

pgpPmSloKHRmh.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: git-core
Source-Version: 1:1.6.0-1

We believe that the bug you reported is fixed in the latest version of
git-core, which is due to be installed in the Debian FTP archive:

git-arch_1.6.0-1_all.deb
  to pool/main/g/git-core/git-arch_1.6.0-1_all.deb
git-core_1.6.0-1.diff.gz
  to pool/main/g/git-core/git-core_1.6.0-1.diff.gz
git-core_1.6.0-1.dsc
  to pool/main/g/git-core/git-core_1.6.0-1.dsc
git-core_1.6.0.orig.tar.gz
  to pool/main/g/git-core/git-core_1.6.0.orig.tar.gz
git-cvs_1.6.0-1_all.deb
  to pool/main/g/git-core/git-cvs_1.6.0-1_all.deb
git-daemon-run_1.6.0-1_all.deb
  to pool/main/g/git-core/git-daemon-run_1.6.0-1_all.deb
git-doc_1.6.0-1_all.deb
  to pool/main/g/git-core/git-doc_1.6.0-1_all.deb
git-email_1.6.0-1_all.deb
  to pool/main/g/git-core/git-email_1.6.0-1_all.deb
git-gui_1.6.0-1_all.deb
  to pool/main/g/git-core/git-gui_1.6.0-1_all.deb
git-svn_1.6.0-1_all.deb
  to pool/main/g/git-core/git-svn_1.6.0-1_all.deb
gitk_1.6.0-1_all.deb
  to pool/main/g/git-core/gitk_1.6.0-1_all.deb
gitweb_1.6.0-1_all.deb
  to pool/main/g/git-core/gitweb_1.6.0-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerrit Pape <[EMAIL PROTECTED]> (supplier of updated git-core package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 24 Aug 2008 22:31:44 +0000
Source: git-core
Binary: git-core git-doc git-arch git-cvs git-svn git-email git-daemon-run 
git-gui gitk gitweb
Architecture: all source
Version: 1:1.6.0-1
Distribution: experimental
Urgency: low
Maintainer: Gerrit Pape <[EMAIL PROTECTED]>
Changed-By: Gerrit Pape <[EMAIL PROTECTED]>
Description: 
 git-arch   - fast, scalable, distributed revision control system (arch interop
 git-core   - fast, scalable, distributed revision control system
 git-cvs    - fast, scalable, distributed revision control system (cvs interope
 git-daemon-run - fast, scalable, distributed revision control system 
(git-daemon s
 git-doc    - fast, scalable, distributed revision control system (documentatio
 git-email  - fast, scalable, distributed revision control system (email add-on
 git-gui    - fast, scalable, distributed revision control system (GUI)
 git-svn    - fast, scalable, distributed revision control system (svn interope
 gitk       - fast, scalable, distributed revision control system (revision tre
 gitweb     - fast, scalable, distributed revision control system (web interfac
Closes: 461212 480396 490220 490400 492522 494097 494467 494505 494991
Changes: 
 git-core (1:1.6.0-1) experimental; urgency=low
 .
   * new upstream release.
     * svnimport: newer libsvn wants us to ask for the root with "",
       not "/" (closes: #492522, #490400).
     * Keep some git-* programs in $(bindir); Move all dashed-form
       commands to libexecdir (closes: #461212).
     * bash: Add more option completions for 'git log' (closes:
       #490220).
     * Fix buffer overflow in prepare_attr_stack; Fix buffer overflow
       in git diff; Fix buffer overflow in git-grep (closes: #494097).
   * 0002-bug-438793-git-sh-setup.sh-builtin-tag.c-fallback.diff: redo
     as 0002-bug-438793-494505-fallback-to-editor-not-vi.diff (thx
     Jonathan Nieder for the patch, closes: #494505).
   * debian/rules: add gitexecdir=/usr/lib/git-core to OPTS; adapt
     several paths (thx Jonathan Nieder for a patch, closes: #480396).
   * debian/gitweb.NEWS.Debian: new; talk about files moved from
     /var/www/ to /usr/share/gitweb/ (see #479479; closes: #494467).
   * debian/git-daemon/run: run git daemon instead of git-daemon
     (dash-less form).
   * debian/git-daemon-run.postinst: add gitdaemon system user.
   * debian/git-daemon/run: utilize chpst to run git daemon as user
     gitdaemon (thx Daniel Kahn Gillmor, closes: #494991).
Checksums-Sha1: 
 3af5f80ddeb41214a4ef92a783408cb5486fadf2 1281 git-core_1.6.0-1.dsc
 766fbc3e0964cdecd195536746781851678f1285 2229997 git-core_1.6.0.orig.tar.gz
 a5e27ce28d9d7136a67d38aa4b2f953859c041f8 237996 git-core_1.6.0-1.diff.gz
 f9319e5e42111ba6e1bbcfb15811c95d9242396e 1111010 git-doc_1.6.0-1_all.deb
 e79d1b1f832aaa9f8810930c3b30f1b9310f2af4 242900 git-arch_1.6.0-1_all.deb
 382ea281dda49754ad17446a7e8f8edff127a2bb 279030 git-cvs_1.6.0-1_all.deb
 4c2250436004f5c3e77a98dbdbedaa92b1178131 281400 git-svn_1.6.0-1_all.deb
 716c1dd50fb5963b4c1ecdbca07ad31e987ed45b 229590 git-daemon-run_1.6.0-1_all.deb
 0caad6692e6a365fb5d7ffb7b48a735885ea2ba7 241632 git-email_1.6.0-1_all.deb
 73f77662e1fad24962b9a1a7af4c6acdb182f4ff 417024 git-gui_1.6.0-1_all.deb
 6c35736dbdb7601c88fbc0419134f779b1b80f13 310850 gitk_1.6.0-1_all.deb
 3c078d8340947d4c55daf68c26a0c1a6e59a95d4 281074 gitweb_1.6.0-1_all.deb
Checksums-Sha256: 
 2720f6e443185386c71fd4338294a173a0b782ed97735b7640e75aa8799bdff9 1281 
git-core_1.6.0-1.dsc
 3cb5198755815347f3f3951b08892b700176f8e0a260122549a18ae91ffc7f65 2229997 
git-core_1.6.0.orig.tar.gz
 4fa7a23cd25f03e978ea9f42284abbc15a8cfcf09d1a80a1237bf141e5487899 237996 
git-core_1.6.0-1.diff.gz
 8b8d4f5911ca5a40fc330a7006c79bc665f5cde1450e5a4955766d0a1ba5ce83 1111010 
git-doc_1.6.0-1_all.deb
 204c3ca2516e068e9571ff107db6ecaf8c0f33c69aaf7c368fa79ada4ec6e3c6 242900 
git-arch_1.6.0-1_all.deb
 61833235f361a7cddfd1297b9d3a8b879b4b252718d33e6b1045d13b5662e5c4 279030 
git-cvs_1.6.0-1_all.deb
 5de379ee8c09fce7305a8f73da1524c7baa02d4419bcd23750e2d5c1d54d0d5b 281400 
git-svn_1.6.0-1_all.deb
 39101d8441d0f6ba0eeccca6aad81e74fe3c68d75c5e5f749b23f43084f865b2 229590 
git-daemon-run_1.6.0-1_all.deb
 a3938224840dbd525715a1b7fd720aacb79a192c0856b9f37d18c0cb88074768 241632 
git-email_1.6.0-1_all.deb
 a6a41f997269786a0beb6ba49967988a11f4efec49173e9e451e96da60b61cd0 417024 
git-gui_1.6.0-1_all.deb
 5bb60f641df86d5557dfa1e6ef9f987e1f7164290ef3e6ff70d73aa177b6906b 310850 
gitk_1.6.0-1_all.deb
 a9a8406a80d9012ff36246c2d297e9b2f5c032268f9fa0dc2865028726335b2d 281074 
gitweb_1.6.0-1_all.deb
Files: 
 d6bfb0e9021ad0a877e01286298ba06a 1281 devel optional git-core_1.6.0-1.dsc
 096058c06f302f50cc22638928d264dd 2229997 devel optional 
git-core_1.6.0.orig.tar.gz
 5804541a80edc471557fd82a84357b45 237996 devel optional git-core_1.6.0-1.diff.gz
 1a9b906fec40ee39465a11e506942d1b 1111010 doc optional git-doc_1.6.0-1_all.deb
 1aff1751521892af1b230937c7e9a40f 242900 devel optional git-arch_1.6.0-1_all.deb
 34a42dd26b15ef8438ea905f098a783d 279030 devel optional git-cvs_1.6.0-1_all.deb
 d7d35940c062bb26735bad26a24c4718 281400 devel optional git-svn_1.6.0-1_all.deb
 b5f44565b1cfd1ddb5529a6da50cf183 229590 devel optional 
git-daemon-run_1.6.0-1_all.deb
 3272f6670e2f9e5f07722b95c2b89309 241632 devel optional 
git-email_1.6.0-1_all.deb
 3d9f551cbb43d83b3d50e2617753b7dc 417024 devel optional git-gui_1.6.0-1_all.deb
 959b0a20082d6fc9aa8262b561029a28 310850 devel optional gitk_1.6.0-1_all.deb
 96d625b7e269ee365a3fdc49a7712205 281074 devel optional gitweb_1.6.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIsfEGGJoyQbxwpv8RAgHJAJ90OvuMa/0/5/paWq7fI7C6auT0ngCeM0Qe
YerQMPXjIzHxa3JbiSkJ9C8=
=mdtp
-----END PGP SIGNATURE-----

--- End Message ---