Bug#532935: marked as done (CVE-2009-2108: git-daemon Infinite Loop Denial of Service)

Fri, 26 Jun 2009 04:56:15 -0700 

Your message dated Fri, 26 Jun 2009 09:37:00 +0000
with message-id <e1mk7rg-0002cc...@ries.debian.org>
and subject line Bug#532935: fixed in git-core 1:1.6.3.3-1
has caused the Debian Bug report #532935,
regarding CVE-2009-2108: git-daemon Infinite Loop Denial of Service
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
532935: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532935
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: git-core
Version: 1:1.6.3.1-1
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The following SA (Secunia Advisory) id was published for git:

SA35437[1]:

Description:
A vulnerability has been reported in Git, which can be exploited by malicious 
people to cause a DoS (Denial of Service).

The vulnerability is caused due to an infinite loop when parsing certain 
additional request parameters. This can be exploited to cause a high CPU load 
by sending specially crafted requests to an affected git-daemon.

The vulnerability is reported in versions 1.4.4.5 through 1.6.3.2. Other 
versions may also be affected.



Solution:
Fixed in the Git repository.[2]

Provided and/or discovered by:
Shawn O. Pearce

If you fix the vulnerability please also make sure to include the CVE id
(if will be available) in the changelog entry.


For further information see:

[1] http://secunia.com/advisories/35437/
[2] http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9

    https://www.redhat.com/archives/fedora-security-list/2009-June/msg00000.html

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoy46kACgkQNxpp46476ao5WACfVbG5mv0Ql4FGFwUvekX07nhH
uEgAn2tYZoHfAwSh2TKRjkZefSKwNF4m
=qMjv
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Source: git-core
Source-Version: 1:1.6.3.3-1

We believe that the bug you reported is fixed in the latest version of
git-core, which is due to be installed in the Debian FTP archive:

git-arch_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-arch_1.6.3.3-1_all.deb
git-core_1.6.3.3-1.diff.gz
  to pool/main/g/git-core/git-core_1.6.3.3-1.diff.gz
git-core_1.6.3.3-1.dsc
  to pool/main/g/git-core/git-core_1.6.3.3-1.dsc
git-core_1.6.3.3.orig.tar.gz
  to pool/main/g/git-core/git-core_1.6.3.3.orig.tar.gz
git-cvs_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-cvs_1.6.3.3-1_all.deb
git-daemon-run_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-daemon-run_1.6.3.3-1_all.deb
git-doc_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-doc_1.6.3.3-1_all.deb
git-email_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-email_1.6.3.3-1_all.deb
git-gui_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-gui_1.6.3.3-1_all.deb
git-svn_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-svn_1.6.3.3-1_all.deb
gitk_1.6.3.3-1_all.deb
  to pool/main/g/git-core/gitk_1.6.3.3-1_all.deb
gitweb_1.6.3.3-1_all.deb
  to pool/main/g/git-core/gitweb_1.6.3.3-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 532...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerrit Pape <p...@smarden.org> (supplier of updated git-core package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 23 Jun 2009 08:49:17 +0000
Source: git-core
Binary: git-core git-doc git-arch git-cvs git-svn git-email git-daemon-run 
git-gui gitk gitweb
Architecture: all source
Version: 1:1.6.3.3-1
Distribution: unstable
Urgency: high
Maintainer: Gerrit Pape <p...@smarden.org>
Changed-By: Gerrit Pape <p...@smarden.org>
Description: 
 git-arch   - fast, scalable, distributed revision control system (arch interop
 git-core   - fast, scalable, distributed revision control system
 git-cvs    - fast, scalable, distributed revision control system (cvs interope
 git-daemon-run - fast, scalable, distributed revision control system 
(git-daemon s
 git-doc    - fast, scalable, distributed revision control system (documentatio
 git-email  - fast, scalable, distributed revision control system (email add-on
 git-gui    - fast, scalable, distributed revision control system (GUI)
 git-svn    - fast, scalable, distributed revision control system (svn interope
 gitk       - fast, scalable, distributed revision control system (revision tre
 gitweb     - fast, scalable, distributed revision control system (web interfac
Closes: 532935
Changes: 
 git-core (1:1.6.3.3-1) unstable; urgency=high
 .
   * new upstream point release.
     * daemon: Strictly parse the "extra arg" part of the command
       (closes: #532935; CVE-2009-2108).
   * debian/rules: add NO_CROSS_DIRECTORY_HARDLINKS=1 to OPTS.
   * debian/diff/0006-bug-520116-Makefile-do-not-install-cross...diff:
     remove; obsolete.
Checksums-Sha1: 
 ed972cb3a03bf031a410bc606fa417572b216fdb 1303 git-core_1.6.3.3-1.dsc
 8eb22cafe085d3297872f817106fc00ad1c7ea0b 2517144 git-core_1.6.3.3.orig.tar.gz
 ba38694c7d7034a1083109537abf2bb6ea51cbd4 293332 git-core_1.6.3.3-1.diff.gz
 9e87179e65a982123c4119556dd37e9d47f3251f 1200074 git-doc_1.6.3.3-1_all.deb
 64724cfae6742db9aae1bf984c26f8d5a5079cd0 293950 git-arch_1.6.3.3-1_all.deb
 11051438ae21cc0adaf90318e9a8a0530379a9d3 358116 git-cvs_1.6.3.3-1_all.deb
 68557104d05885d87ab0d6d8fce42beb8dfadd85 337226 git-svn_1.6.3.3-1_all.deb
 0646307fd17ca275c2fc214b8bb340ef5ba8de41 280608 
git-daemon-run_1.6.3.3-1_all.deb
 322ef8e3de7d0c322a84ced3dd0a86214f6f2ea2 295460 git-email_1.6.3.3-1_all.deb
 3a7a8b7bdcb915aec9f5baffebbd038e6d111027 517946 git-gui_1.6.3.3-1_all.deb
 4e23742483b0be9681c76e562b75ae61961c829d 379914 gitk_1.6.3.3-1_all.deb
 2772a8461c3353f77a0c0cd27779a8604baf813f 339714 gitweb_1.6.3.3-1_all.deb
Checksums-Sha256: 
 40e3f26e7ce045b563c9aec94c0dbe8304cc03c702c4ddbf34fb4392695451da 1303 
git-core_1.6.3.3-1.dsc
 4c54e4740762de25c688b70452b6d6ab4a84445c9d3799f4fd06bc0245f68bf4 2517144 
git-core_1.6.3.3.orig.tar.gz
 e2624c943281e4ea1acaec61a643996f369844b0048e11fd4aa33f3dd1a47a65 293332 
git-core_1.6.3.3-1.diff.gz
 3f611437613781fa0e675d2f171d71f82a7f82fb89a514ee1f435a27cb8b3c6a 1200074 
git-doc_1.6.3.3-1_all.deb
 7b9271a356ecf728d8c2c469b0b1a819b8060acb680a95bdc578cc710afa2536 293950 
git-arch_1.6.3.3-1_all.deb
 a22e5de5e88b6c5c1a02740a366495ca1a0d53a31f1dd386667b021cbf167ba0 358116 
git-cvs_1.6.3.3-1_all.deb
 0316068366a285f2da72eb8fc96176522b0490c459803dedc52a8515a593f671 337226 
git-svn_1.6.3.3-1_all.deb
 b9fd4deabda52b5f17c7282ea8f1de6b57a986374deb168d20384b7d934fc7dc 280608 
git-daemon-run_1.6.3.3-1_all.deb
 0e753d41930721a8e121b05c8c5015257f31c2f48956fde2f5ede4147677a297 295460 
git-email_1.6.3.3-1_all.deb
 f800016781807394dd687d4906f3411cbcaa96457d205f74b11e8f50c2c688c4 517946 
git-gui_1.6.3.3-1_all.deb
 e2023781c02bffbed92aab2083246f475adfde4cd900cdd43db67986bc078485 379914 
gitk_1.6.3.3-1_all.deb
 2b72d8f9502a81c535e1e791c94eac6bab23ed3878181eb851665338ab7c1ccf 339714 
gitweb_1.6.3.3-1_all.deb
Files: 
 76e8600e8c130f0e8292b52d2c32a9d6 1303 vcs optional git-core_1.6.3.3-1.dsc
 a634d76881f3bd6b92cb1892ea5f88fe 2517144 vcs optional 
git-core_1.6.3.3.orig.tar.gz
 d40cd05726488566508ad84a77e82e52 293332 vcs optional git-core_1.6.3.3-1.diff.gz
 0573dbc5ff45ea6b165cd48d5a4f46e2 1200074 doc optional git-doc_1.6.3.3-1_all.deb
 8a3df21812e3901734d1c834d506f079 293950 vcs optional git-arch_1.6.3.3-1_all.deb
 0fff307719ce4739be887adb215c6182 358116 vcs optional git-cvs_1.6.3.3-1_all.deb
 58e36144ca172379133912614a4b6799 337226 vcs optional git-svn_1.6.3.3-1_all.deb
 6107789e5207f5af72d160e0671ab9d6 280608 vcs optional 
git-daemon-run_1.6.3.3-1_all.deb
 1e90adb3e31743b8ec64099e7a6ed658 295460 vcs optional 
git-email_1.6.3.3-1_all.deb
 4004dfc649f3c17d22b83a5f9f76d470 517946 vcs optional git-gui_1.6.3.3-1_all.deb
 f210e5f2844e133a68be681e62d634b1 379914 vcs optional gitk_1.6.3.3-1_all.deb
 7a1b923b397e1d7dc7e847279d828148 339714 vcs optional gitweb_1.6.3.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpEiB8ACgkQGJoyQbxwpv/h0QCdGxwhWo9Ugz0f483tBpfPlHkH
eecAn1qHoOA5FEAaizRoGB6S2S66O3Ld
=PmnB
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to