Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 234075 (CVE-2008-3546)

Summary: dev-util/git <1.5.6.4 PATH_MAX Stack-based buffer overflow (CVE-2008-3546)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ferdy, fmccor, robbat2
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/31347/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 11:41:36 UTC
Secunia writes:
Some vulnerabilities have been reported in GIT, which can potentially
be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to boundary errors in various
functions when processing overly long repository pathnames. These can
be exploited to cause stack-based buffer overflows by tricking a user
into running e.g. "git-diff" or "git-grep" against a repository
containing pathnames that are larger than the "PATH_MAX" value on the
user's system.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in version 1.5.6.3. Prior versions
may also be affected.

SOLUTION:
Update to version 1.5.6.4.
http://www.kernel.org/pub/software/scm/git/

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.5.6.4.txt

http://kerneltrap.org/mailarchive/git/2008/7/16/2529284
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 11:55:40 UTC
We have 1.5.6.4 in the tree, is it ready for stabling?
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-08-06 19:08:02 UTC
yup, you can ask arches to stable it. There's a pending HPPA issue that's much older however, due to a GCC bug.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 21:20:42 UTC
Arches, please test and mark stable:
=dev-util/git-1.5.6.4
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2008-08-06 22:30:16 UTC
Sparc stable (about 3 weeks early, but OK for security bug).  There are certainly a lot of old versions of this floating around in the tree. :)
Comment 5 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2008-08-07 00:16:55 UTC
amd64 stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2008-08-07 05:26:09 UTC
ppc64 stable
Comment 7 Markus Meier gentoo-dev 2008-08-07 21:43:39 UTC
x86 stable
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-08-07 22:02:41 UTC
If  you run into problems with testcases, make sure you have FEATURES=userpriv first of all, and on 64-bit userspace big-endian boxes, there's also a false positive in t0040 at the moment, that upstream should be including in the next release, 1.5.6.6 (not out yet).
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-08-08 16:38:57 UTC
alpha/ia64 stable
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-08-08 20:09:00 UTC
ppc stable
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-08-28 19:21:25 UTC
(In reply to comment #2)
> yup, you can ask arches to stable it. There's a pending HPPA issue that's much
> older however, due to a GCC bug.
> 
Has it been solved in the meanwhile, or is there a bug # to track it? It's the only arch left before we move to [glsa]
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-16 22:22:32 UTC
Stable for HPPA. The branching issue in HPPA's compiler was fixed half a year ago, and toolchain hasn't promised any new (working) gcc versions or even a revision.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-21 11:14:09 UTC
glsa request filed.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-25 21:15:41 UTC
GLSA 200809-16