Bug 234075 (CVE-2008-3546)

Summary:	dev-util/git <1.5.6.4 PATH_MAX Stack-based buffer overflow (CVE-2008-3546)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	ferdy, fmccor, robbat2
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/31347/
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2008-08-06 11:41:36 UTC

Secunia writes:
Some vulnerabilities have been reported in GIT, which can potentially
be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to boundary errors in various
functions when processing overly long repository pathnames. These can
be exploited to cause stack-based buffer overflows by tricking a user
into running e.g. "git-diff" or "git-grep" against a repository
containing pathnames that are larger than the "PATH_MAX" value on the
user's system.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in version 1.5.6.3. Prior versions
may also be affected.

SOLUTION:
Update to version 1.5.6.4.
http://www.kernel.org/pub/software/scm/git/

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.5.6.4.txt

http://kerneltrap.org/mailarchive/git/2008/7/16/2529284

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-08-06 11:55:40 UTC

We have 1.5.6.4 in the tree, is it ready for stabling?

Comment 2 Robin Johnson archtester

2008-08-06 19:08:02 UTC

yup, you can ask arches to stable it. There's a pending HPPA issue that's much older however, due to a GCC bug.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-08-06 21:20:42 UTC

Arches, please test and mark stable:
=dev-util/git-1.5.6.4
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 4 Ferris McCormick (RETIRED) gentoo-dev

2008-08-06 22:30:16 UTC

Sparc stable (about 3 weeks early, but OK for security bug).  There are certainly a lot of old versions of this floating around in the tree. :)

Comment 5 Thomas Anderson (tanderson) (RETIRED) gentoo-dev

2008-08-07 00:16:55 UTC

amd64 stable

Comment 6 Markus Rothe (RETIRED) gentoo-dev

2008-08-07 05:26:09 UTC

ppc64 stable

Comment 7 Markus Meier gentoo-dev

2008-08-07 21:43:39 UTC

x86 stable

Comment 8 Robin Johnson archtester

2008-08-07 22:02:41 UTC

If  you run into problems with testcases, make sure you have FEATURES=userpriv first of all, and on 64-bit userspace big-endian boxes, there's also a false positive in t0040 at the moment, that upstream should be including in the next release, 1.5.6.6 (not out yet).

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2008-08-08 16:38:57 UTC

alpha/ia64 stable

Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev

2008-08-08 20:09:00 UTC

ppc stable

Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-08-28 19:21:25 UTC

(In reply to comment #2)
> yup, you can ask arches to stable it. There's a pending HPPA issue that's much
> older however, due to a GCC bug.
> 
Has it been solved in the meanwhile, or is there a bug # to track it? It's the only arch left before we move to [glsa]

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2008-09-16 22:22:32 UTC

Stable for HPPA. The branching issue in HPPA's compiler was fixed half a year ago, and toolchain hasn't promised any new (working) gcc versions or even a revision.

Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-09-21 11:14:09 UTC

glsa request filed.

Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-09-25 21:15:41 UTC

GLSA 200809-16