Bug#590026: git: diff for NMU version 1:1.7.1-1.1

Tue, 27 Jul 2010 06:33:31 -0700 

tags 590026 + pending
thanks

I ended up using the first patch from Jonathan after fixing my
environment to have HOME exported, and I'll upload that in a minute.
Gerrit, I'm uploading to ftp-master directly since afaik you're on VAC;
please find the NMU patch attached.

Thanks again for the fix, Jonathan!

Cheers,
Julien

diff -u git-1.7.1/debian/changelog git-1.7.1/debian/changelog
--- git-1.7.1/debian/changelog
+++ git-1.7.1/debian/changelog
@@ -1,3 +1,12 @@
+git (1:1.7.1-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * debian/diff/0004-Check-size-of-path-buffer-before-writing-...diff:
+    new, cherry-picked from 3c9d041: setup: Check size of path buffer
+    before writing into it (closes: #590026, CVE-2010-2542).
+
+ -- Jonathan Nieder <jrnie...@gmail.com>  Sun, 25 Jul 2010 18:01:15 -0500
+
 git (1:1.7.1-1) unstable; urgency=low
 
   * debian/diff/0003-t-t7400-submodule-basic.sh-debug-output-...diff:
only in patch2:
unchanged:
--- git-1.7.1.orig/debian/diff/0004-Check-size-of-path-buffer-before-writing-into-it.diff
+++ git-1.7.1/debian/diff/0004-Check-size-of-path-buffer-before-writing-into-it.diff
@@ -0,0 +1,33 @@
+From 59dfd3aab208ffc0345dd557d6682ba0753f58c1 Mon Sep 17 00:00:00 2001
+From: Greg Brockman <g...@mit.edu>
+Date: Tue, 20 Jul 2010 00:46:21 -0400
+Subject: [PATCH] Check size of path buffer before writing into it
+
+This prevents a buffer overrun that could otherwise be triggered by
+creating a file called '.git' with contents
+
+  gitdir: (something really long)
+
+Signed-off-by: Greg Brockman <g...@mit.edu>
+Signed-off-by: Junio C Hamano <gits...@pobox.com>
+(cherry picked from commit 3c9d0414ed2db0167e6c828b547be8fc9f88fccc)
+---
+ setup.c |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/setup.c b/setup.c
+index 5716d90..e70df0b 100644
+--- a/setup.c
++++ b/setup.c
+@@ -170,6 +170,8 @@ static int is_git_directory(const char *suspect)
+ 	char path[PATH_MAX];
+ 	size_t len = strlen(suspect);
+ 
++	if (PATH_MAX <= len + strlen("/objects"))
++		die("Too long path: %.*s", 60, suspect);
+ 	strcpy(path, suspect);
+ 	if (getenv(DB_ENVIRONMENT)) {
+ 		if (access(getenv(DB_ENVIRONMENT), X_OK))
+-- 
+1.7.2
+

Attachment: signature.asc
Description: Digital signature

Reply via email to