Hi all, Want to try to summarize:
CVE-2016-2315, fixed by https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305 (v2.7.0-rc0). Then there is CVE-2016-2324. AFAICT, this is fixed by the path_name removal, in https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d (v2.8.0-rc0). So this is *not* in any 2.7.x. According to the CVE assignment, CVE-2016-2324 is for 'Related ... is integer overflow due to a loop which adds more to "len"'. See: http://www.openwall.com/lists/oss-security/2016/03/16/2 There is further one mentioned in the initial post, which is related to a smilar issue in the diff code, which should be https://github.com/git/git/commit/5b442c4f2723211ce0d862571e88ee206bfd51bf (v2.7.3) and has not a CVE so far. Laszlo mentioned then as well https://github.com/git/git/commit/13e0b0d3dc76353632dcb0bc63cdf03426154317 (v2.7.3), this is a separate issue, but not related to the two assigned CVEs AFAICS, but will be fixed as well if updating to 2.7.3 based upload. The original reporter mentions to be safe with 2.7.1, but in the light of the second commit this does not look fully correct? Do you concur on this summary? Regards, Salvatore
signature.asc
Description: Digital signature
