|Summary:||dev-util/git <188.8.131.52 PATH_MAX Stack-based buffer overflow (CVE-2008-3546)|
|Product:||Gentoo Security||Reporter:||Robert Buchholz (RETIRED) <rbu>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||ferdy, fmccor, robbat2|
|Package list:||Runtime testing required:||---|
Description Robert Buchholz (RETIRED) 2008-08-06 11:41:36 UTC
Secunia writes: Some vulnerabilities have been reported in GIT, which can potentially be exploited by malicious people to compromise a user's system. The vulnerabilities are caused due to boundary errors in various functions when processing overly long repository pathnames. These can be exploited to cause stack-based buffer overflows by tricking a user into running e.g. "git-diff" or "git-grep" against a repository containing pathnames that are larger than the "PATH_MAX" value on the user's system. Successful exploitation may allow execution of arbitrary code. The vulnerabilities are reported in version 184.108.40.206. Prior versions may also be affected. SOLUTION: Update to version 220.127.116.11. http://www.kernel.org/pub/software/scm/git/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.kernel.org/pub/software/scm/git/docs/RelNotes-18.104.22.168.txt http://kerneltrap.org/mailarchive/git/2008/7/16/2529284
Comment 1 Robert Buchholz (RETIRED) 2008-08-06 11:55:40 UTC
We have 22.214.171.124 in the tree, is it ready for stabling?
Comment 2 Robin Johnson 2008-08-06 19:08:02 UTC
yup, you can ask arches to stable it. There's a pending HPPA issue that's much older however, due to a GCC bug.
Comment 3 Robert Buchholz (RETIRED) 2008-08-06 21:20:42 UTC
Arches, please test and mark stable: =dev-util/git-126.96.36.199 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Ferris McCormick (RETIRED) 2008-08-06 22:30:16 UTC
Sparc stable (about 3 weeks early, but OK for security bug). There are certainly a lot of old versions of this floating around in the tree. :)
Comment 5 Thomas Anderson (tanderson) (RETIRED) 2008-08-07 00:16:55 UTC
Comment 6 Markus Rothe (RETIRED) 2008-08-07 05:26:09 UTC
Comment 7 Markus Meier 2008-08-07 21:43:39 UTC
Comment 8 Robin Johnson 2008-08-07 22:02:41 UTC
If you run into problems with testcases, make sure you have FEATURES=userpriv first of all, and on 64-bit userspace big-endian boxes, there's also a false positive in t0040 at the moment, that upstream should be including in the next release, 188.8.131.52 (not out yet).
Comment 9 Raúl Porcel (RETIRED) 2008-08-08 16:38:57 UTC
Comment 10 Tobias Scherbaum (RETIRED) 2008-08-08 20:09:00 UTC
Comment 11 Pierre-Yves Rofes (RETIRED) 2008-08-28 19:21:25 UTC
(In reply to comment #2) > yup, you can ask arches to stable it. There's a pending HPPA issue that's much > older however, due to a GCC bug. > Has it been solved in the meanwhile, or is there a bug # to track it? It's the only arch left before we move to [glsa]
Comment 12 Jeroen Roovers (RETIRED) 2008-09-16 22:22:32 UTC
Stable for HPPA. The branching issue in HPPA's compiler was fixed half a year ago, and toolchain hasn't promised any new (working) gcc versions or even a revision.
Comment 13 Pierre-Yves Rofes (RETIRED) 2008-09-21 11:14:09 UTC
glsa request filed.
Comment 14 Pierre-Yves Rofes (RETIRED) 2008-09-25 21:15:41 UTC