Bug#590026: marked as done (git-core: upstream fix for exploitable buffer overrun (CVE-2010-2542))

[Debian Bug Tracking System]

Your message dated Tue, 27 Jul 2010 13:47:33 +0000
with message-id <e1odkvj-00034i...@franck.debian.org>
and subject line Bug#590026: fixed in git 1:1.7.1-1.1
has caused the Debian Bug report #590026,
regarding git-core: upstream fix for exploitable buffer overrun (CVE-2010-2542)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
590026: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590026
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: git-core
Version: 1:1.7.1-1~bpo50+1
Severity: grave
Tags: security patch
Justification: user security hole


A fix for an exploitable buffer overrun (CVE-2010-2542, per [1]) was
committed to git in [2].  In particular, if an attacker were to create
a crafted working copy where the user runs any git command, the
attacker could force execution of arbitrary code.

This attack should be mitigated to a denial of service if git is
compiled with appropriate stack-protecting flags.

This buffer overrun was introduced in [3], which first appeared in
v1.5.6, and is fixed in v1.7.2.

Greg

[1] http://seclists.org/oss-sec/2010/q3/93
[2] 
http://git.kernel.org/?p=git/git.git;a=commit;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc
[3] 
http://git.kernel.org/?p=git/git.git;a=commit;h=b44ebb19e3234c5dffe9869ceac5408bb44c2e20

-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages git-core depends on:
ii  git                    1:1.7.1-1~bpo50+1 fast, scalable, distributed revisi

git-core recommends no packages.

git-core suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: git
Source-Version: 1:1.7.1-1.1

We believe that the bug you reported is fixed in the latest version of
git, which is due to be installed in the Debian FTP archive:

git-all_1.7.1-1.1_all.deb
  to main/g/git/git-all_1.7.1-1.1_all.deb
git-arch_1.7.1-1.1_all.deb
  to main/g/git/git-arch_1.7.1-1.1_all.deb
git-core_1.7.1-1.1_all.deb
  to main/g/git/git-core_1.7.1-1.1_all.deb
git-cvs_1.7.1-1.1_all.deb
  to main/g/git/git-cvs_1.7.1-1.1_all.deb
git-daemon-run_1.7.1-1.1_all.deb
  to main/g/git/git-daemon-run_1.7.1-1.1_all.deb
git-doc_1.7.1-1.1_all.deb
  to main/g/git/git-doc_1.7.1-1.1_all.deb
git-email_1.7.1-1.1_all.deb
  to main/g/git/git-email_1.7.1-1.1_all.deb
git-gui_1.7.1-1.1_all.deb
  to main/g/git/git-gui_1.7.1-1.1_all.deb
git-svn_1.7.1-1.1_all.deb
  to main/g/git/git-svn_1.7.1-1.1_all.deb
git_1.7.1-1.1.diff.gz
  to main/g/git/git_1.7.1-1.1.diff.gz
git_1.7.1-1.1.dsc
  to main/g/git/git_1.7.1-1.1.dsc
git_1.7.1-1.1_amd64.deb
  to main/g/git/git_1.7.1-1.1_amd64.deb
gitk_1.7.1-1.1_all.deb
  to main/g/git/gitk_1.7.1-1.1_all.deb
gitweb_1.7.1-1.1_all.deb
  to main/g/git/gitweb_1.7.1-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 590...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Nieder <jrnie...@gmail.com> (supplier of updated git package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 25 Jul 2010 18:01:15 -0500
Source: git
Binary: git git-core git-doc git-arch git-cvs git-svn git-email git-daemon-run 
git-gui gitk gitweb git-all
Architecture: source amd64 all
Version: 1:1.7.1-1.1
Distribution: unstable
Urgency: high
Maintainer: Gerrit Pape <p...@smarden.org>
Changed-By: Jonathan Nieder <jrnie...@gmail.com>
Description: 
 git        - fast, scalable, distributed revision control system
 git-all    - fast, scalable, distributed revision control system (all subpacka
 git-arch   - fast, scalable, distributed revision control system (arch interop
 git-core   - fast, scalable, distributed revision control system (obsolete)
 git-cvs    - fast, scalable, distributed revision control system (cvs interope
 git-daemon-run - fast, scalable, distributed revision control system 
(git-daemon s
 git-doc    - fast, scalable, distributed revision control system (documentatio
 git-email  - fast, scalable, distributed revision control system (email add-on
 git-gui    - fast, scalable, distributed revision control system (GUI)
 git-svn    - fast, scalable, distributed revision control system (svn interope
 gitk       - fast, scalable, distributed revision control system (revision tre
 gitweb     - fast, scalable, distributed revision control system (web interfac
Closes: 590026
Changes: 
 git (1:1.7.1-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * debian/diff/0004-Check-size-of-path-buffer-before-writing-...diff:
     new, cherry-picked from 3c9d041: setup: Check size of path buffer
     before writing into it (closes: #590026, CVE-2010-2542).
Checksums-Sha1: 
 4343dc519b80a46921c6a164ff8fedc23ccb0855 1947 git_1.7.1-1.1.dsc
 866230dbca2c21bd3df01d1a1413b1f40b60fd5b 346857 git_1.7.1-1.1.diff.gz
 502d76b6f3fb23d2c5c227f9a5ea508f1a07394f 6270854 git_1.7.1-1.1_amd64.deb
 f473db46bd6a394abd09fcfb6ad99d554e4cd5c9 1721562 git-doc_1.7.1-1.1_all.deb
 384e5aa26b7e7d76daf98beb42d8affc30c0bd71 347446 git-arch_1.7.1-1.1_all.deb
 39b2210519e0646315092d7459534a5ee2a79db1 413556 git-cvs_1.7.1-1.1_all.deb
 35588a019a0963b3da134e96415e41355b30f81e 397700 git-svn_1.7.1-1.1_all.deb
 4a0f6a125197bb5cfbdeed5ad99ff8c23e54fb43 334090 
git-daemon-run_1.7.1-1.1_all.deb
 86120f053f14b143f58e1a3a8f4ac9c3bd86ab83 350736 git-email_1.7.1-1.1_all.deb
 4b9d20385494742ac659912f8a85f2a3825e9409 592434 git-gui_1.7.1-1.1_all.deb
 34cbdb887462f46b48f4998c9fc42f1cab9de0bc 455434 gitk_1.7.1-1.1_all.deb
 3deb05e0e02d5815e593e91d10458a4dc83fb707 401892 gitweb_1.7.1-1.1_all.deb
 06fd013021706fd45f54d5f5c043c0755c54081c 332406 git-all_1.7.1-1.1_all.deb
 7d57043a4a9adb578dfe736547871c5271769762 1294 git-core_1.7.1-1.1_all.deb
Checksums-Sha256: 
 ed6a948c1330675515db0017da476ac587b95cf57cffca0a3dd580b8025a9e40 1947 
git_1.7.1-1.1.dsc
 b70d16456b4ce08747db09b1c5f1fd13dbf4adb70c7c3f0a24ae42a96dcb23ec 346857 
git_1.7.1-1.1.diff.gz
 22ddd841fc3e88193777893e4be73bc017d4427239319f834695c1d8850a6d3a 6270854 
git_1.7.1-1.1_amd64.deb
 4a31a54ebdc343f72752e5bde10f2741ca4633ca89f8b7ff153711c618470172 1721562 
git-doc_1.7.1-1.1_all.deb
 5b9d1c76d9490909cb54302751aa8c1cf60ff075d27bcae7b831cb6c93567a38 347446 
git-arch_1.7.1-1.1_all.deb
 4642bc78fec04eeddccf3c535a0cd7b02975bc73e5456419ead2b53a0ffc5f56 413556 
git-cvs_1.7.1-1.1_all.deb
 bf9345ea7530a539073f3b9152b0456b6bf32c2e19dcdffff965b4eb8cce9af2 397700 
git-svn_1.7.1-1.1_all.deb
 06c0f20d333a3b39a04ffacb4a93078b8b43bb13de461fb70cb70c2520e9e54a 334090 
git-daemon-run_1.7.1-1.1_all.deb
 011018a25ae1c633cd60e54e97c74461a5576cffc1c4d33b90288ecb5843aed6 350736 
git-email_1.7.1-1.1_all.deb
 acc899953696365c6c4382d58da5d08bdce8cf80c79b45dce1285a012769ae67 592434 
git-gui_1.7.1-1.1_all.deb
 c174c93114efff99d87a531f51d5edb614eaccf27f9c027a79ac58705c691ead 455434 
gitk_1.7.1-1.1_all.deb
 abc3355e0094c9955399cc1014d09e379eccd711fbf6a59824763303f73d730a 401892 
gitweb_1.7.1-1.1_all.deb
 42b76fc5d6f9cfb727995304154bd9d1360abeaa31abafb7fb9e4ca57ed596db 332406 
git-all_1.7.1-1.1_all.deb
 2a85dc6af931b6ac1374c9e912061ea36677e296b9bebaac56721fb5f8396108 1294 
git-core_1.7.1-1.1_all.deb
Files: 
 a58c7a1da5d07973baa788687376d6df 1947 vcs optional git_1.7.1-1.1.dsc
 cb64a8e818f4585f2352db7a811fa072 346857 vcs optional git_1.7.1-1.1.diff.gz
 3f817f333c2b27426ae3725e705b0b79 6270854 vcs optional git_1.7.1-1.1_amd64.deb
 c66002daef3570a4364025dd4b3dcb97 1721562 doc optional git-doc_1.7.1-1.1_all.deb
 8864b2d83bf1e4451184152b2f4c8fb5 347446 vcs optional git-arch_1.7.1-1.1_all.deb
 e75314b0f0343cb4d8ed67d83e4f8af4 413556 vcs optional git-cvs_1.7.1-1.1_all.deb
 d6f47ec1f391b7df041c8393d60f0b83 397700 vcs optional git-svn_1.7.1-1.1_all.deb
 525f115ea9d60826fdba4c05c95842aa 334090 vcs optional 
git-daemon-run_1.7.1-1.1_all.deb
 0d7c37893bb0b464422bf7d8fa5845a4 350736 vcs optional 
git-email_1.7.1-1.1_all.deb
 10a2635b6dd301d3b80e347f6211eb10 592434 vcs optional git-gui_1.7.1-1.1_all.deb
 82e597d6d70e4fe70a501c970266bf1d 455434 vcs optional gitk_1.7.1-1.1_all.deb
 938cf84591be69ed90afe7d534e1044f 401892 vcs optional gitweb_1.7.1-1.1_all.deb
 a4daf4e211ea0732c86792a7465b51cc 332406 vcs optional git-all_1.7.1-1.1_all.deb
 179ea11837398d764b07fb18db11ffba 1294 vcs optional git-core_1.7.1-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMTt50AAoJEDEBgAUJBeQMsscP/3RqlUGmxezt3CvYkZwt0zNj
9cLoOe/sFnML2LdS5C8pXmQT5rlCJbUEVaw9K/JLxEOBGnl3hreO39PBRnvd1ran
Q0AjmdaVM2Q6O4bFgDCAwKKWQiOFgrYzHQs1a2wuWEs5ZzWwaQ1VzY0T2N7ixVjv
ry5QuvKrVOLtr79pmuGWORA7knrAJzdR4J+NTjJ8EcpOh8Y00aCsaZKsR/g5X2po
MCtL0pOKIcKNumwTjR5pbzNpzhRyHoSWVm+F64xL8NtTGQVPi8lFFWlItjFpuVek
Yjc3IZPiEgoVBfGPBkXtImjrQjhRQmisWyNh3557eUQJQfOBe5QopYXaAydcLrQ5
PArcNYDT2Am6qK7AKj7RCAn5BgzcqOXJm0U0MkjELatmFNqUApycgoP04P6IiiLp
9CJgRnCc/6SF9Cdr7TxypgfDSUDw6H2pcGO6CKAAQ6+/ApWdY5qNpGVoQlkqiAlk
+9MN+J4ad7LYd5ryMxF3e3BEm+hIXca5HwtmTDQ/YUTAXuHVbOuxjyw+DMr+bVC8
xuThMp3SBgktLGLHEZcrC9o3aVcaLEEtFZRugM62I4hjgzeOSwtBibJNd/gzcPL6
k4ewEGhemD7QcrBy4MFC1ITUkIzbNBjUwgN4CVyLF0PvKYeQqf1PS1zRxw7fpdeM
/E5JkrtGyvtY0tS7BV4V
=0J5e
-----END PGP SIGNATURE-----

--- End Message ---