On Mon, Sep 26, 2016 at 11:10:54AM -0700, Junio C Hamano wrote:
> Junio C Hamano writes:
>
> > I am inclined to say that it has no security implications. You have
> > to be able to write a bogus loose object in an object store you
> > already have write access to in the first place, in order to
Btw, this other test case will trigger a similar issue, but in another line of
code:
To reproduce:
$ git init ; mkdir -p .git/objects/b2 ; printf
'eJwNwoENgDAIBECkDsII5Z8CHagLGPePXu59zjHGRIOZG3OzI/lnRc4KemXDPdYSml6iQ+4ATIZ+nAEK4g=='
| base64 -d > .git/objects/b2/93584ddd61af21260be75ee9f73e9d
Junio C Hamano writes:
> I am inclined to say that it has no security implications. You have
> to be able to write a bogus loose object in an object store you
> already have write access to in the first place, in order to cause
> this ...
Note that you could social-engineer others to fetch from
Gustavo Grieco writes:
> Fair enough. We are testing our tool to try to find
> bugs/vulnerabilities in several git implementations. I will report
> here my results if i can find some other memory issue in this git
> client.
Thanks. With or without security implications, it is basic codebase
hyg
Fair enough. We are testing our tool to try to find bugs/vulnerabilities in
several git implementations. I will report here my results if i can find some
other memory issue in this git client.
- Original Message -
> Gustavo Grieco writes:
>
> > Now that the cause of this issue is ident
Gustavo Grieco writes:
> Now that the cause of this issue is identified, i would like to
> know if there is an impact in the security, so i can request a CVE
> if necessary.
I am inclined to say that it has no security implications. You have
to be able to write a bogus loose object in an object
Hello,
Now that the cause of this issue is identified, i would like to know if there
is an impact in the security, so i can request a CVE if necessary.
Thanks!
On Sun, Sep 25, 2016 at 05:10:31PM -0700, Junio C Hamano wrote:
> Gustavo Grieco writes:
>
> > We found a stack read out-of-bounds parsing object files using git 2.10.0.
> > It was tested on ArchLinux x86_64. To reproduce, first recompile git with
> > ASAN support and then execute:
> >
> > $ g
Gustavo Grieco writes:
> We found a stack read out-of-bounds parsing object files using git 2.10.0. It
> was tested on ArchLinux x86_64. To reproduce, first recompile git with ASAN
> support and then execute:
>
> $ git init ; mkdir -p .git/objects/b2 ; printf 'x' >
> .git/objects/b2/93584ddd61
Hi,
We found a stack read out-of-bounds parsing object files using git 2.10.0. It
was tested on ArchLinux x86_64. To reproduce, first recompile git with ASAN
support and then execute:
$ git init ; mkdir -p .git/objects/b2 ; printf 'x' >
.git/objects/b2/93584ddd61af21260be75ee9f73e9d53f08cd0
F
10 matches
Mail list logo
