Package: git-core Version: 1:1.7.1-1~bpo50+1 Severity: grave Tags: security patch Justification: user security hole
A fix for an exploitable buffer overrun (CVE-2010-2542, per [1]) was committed to git in [2]. In particular, if an attacker were to create a crafted working copy where the user runs any git command, the attacker could force execution of arbitrary code. This attack should be mitigated to a denial of service if git is compiled with appropriate stack-protecting flags. This buffer overrun was introduced in [3], which first appeared in v1.5.6, and is fixed in v1.7.2. Greg [1] http://seclists.org/oss-sec/2010/q3/93 [2] http://git.kernel.org/?p=git/git.git;a=commit;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc [3] http://git.kernel.org/?p=git/git.git;a=commit;h=b44ebb19e3234c5dffe9869ceac5408bb44c2e20 -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages git-core depends on: ii git 1:1.7.1-1~bpo50+1 fast, scalable, distributed revisi git-core recommends no packages. git-core suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
