Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 273905 (CVE-2009-2108)

Summary: <dev-util/git-1.6.3.3 git-daemon DoS (CVE-2009-2108)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ricmm, robbat2
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-06-12 19:18:10 UTC
From Secunia:

A vulnerability has been reported in Git, which can be exploited by
malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an infinite loop when parsing
certain additional request parameters. This can be exploited to cause
a high CPU load by sending specially crafted requests to an affected
git-daemon.

The vulnerability is reported in versions 1.4.4.5 through 1.6.3.2.
Other versions may also be affected.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-06-12 19:18:43 UTC
See $URL for a patch.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-06-19 08:49:44 UTC
CVE-2009-2108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2108):
  git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to
  cause a denial of service (infinite loop and CPU consumption) via a
  request containing extra unrecognized arguments.

Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-06-22 20:37:49 UTC
1.6.3.3 in the tree now.
1.6.3.2 had the vuln as well per Secunia.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-06-24 00:41:06 UTC
Arches, please test and mark stable:
=dev-util/git-1.6.3.3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Jeroen Roovers gentoo-dev 2009-06-24 05:08:41 UTC
Stable for HPPA.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-25 12:56:35 UTC
* FAIL 21: git add should fail atomically upon an unreadable file

                git reset --hard &&
                date >foo1 &&
                date >foo2 &&
                chmod 0 foo2 &&
                test_must_fail git add --verbose . &&
                ! ( git ls-files foo1 | grep foo1 )

*   ok 7: diff works (commit)* FAIL 22: git add --ignore-errors


                git reset --hard &&
                date >foo1 &&
                date >foo2 &&
                chmod 0 foo2 &&
                test_must_fail git add --verbose --ignore-errors . &&
                git ls-files foo1 | grep foo1

* FAIL 23: git add (add.ignore-errors)

                git config add.ignore-errors 1 &&
                git reset --hard &&
                date >foo1 &&
                date >foo2 &&
                chmod 0 foo2 &&
                test_must_fail git add --verbose . &&
                git ls-files foo1 | grep foo1

* FAIL 24: git add (add.ignore-errors = false)

                git config add.ignore-errors 0 &&
                git reset --hard &&
                date >foo1 &&
                date >foo2 &&
                chmod 0 foo2 &&
                test_must_fail git add --verbose . &&
                ! ( git ls-files foo1 | grep foo1 )

Portage 2.1.6.13 (default/linux/x86/2008.0/desktop, gcc-4.3.2, glibc-2.9_p20081201-r2, 2.6.29-gentoo-r5 i686)
=================================================================
System uname: Linux-2.6.29-gentoo-r5-i686-Intel-R-_Core-TM-2_Duo_CPU_T8100_@_2.10GHz-with-glibc2.0
Timestamp of tree: Thu, 25 Jun 2009 07:30:01 +0000
app-shells/bash:     3.2_p39
dev-java/java-config: 2.1.7
dev-lang/python:     2.4.6, 2.5.4-r2
dev-python/pycrypto: 2.0.1-r8
dev-util/cmake:      2.6.4
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_EN.UTF8"
LC_ALL="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X acl acpi alsa apache apache2 apm bash-completion berkdb bluetooth bootsplash branding bzip2 cairo cdr cdrom cli cracklib crypt css cups curl dbus directfb dri dvd dvdr dvdread dvi eds emacs emboss encode escreen esd evo fam fat fbcon fbcondecor ffmpeg firefox foomatic fortran gdbm gif gnome gpm gstreamer gtk hal iconv imlib ipv6 isdnlog jadetex java5 jpeg jpeg2k kde kpathsea laptop latex ldap libnotify libotf lm_sensors m17n-lib mad midi mikmod mmx mono mp3 mpeg mudflap musicbrainz ncurses nls nptl nptl-only nptlonly ntfs objc ogg opengl openmp openssh pam pcre pdf perl pmu png ppds pppd preview-latex python qt3 qt3support qt4 quicktime readline reflection reports sdl session smp spell spl sqlite sse ssl startup-notification svg svga sysfs t1lib tcpd test-framework tetex theora tiff tk toolkit-scroll-bars truetype unicode usb userlocales vorbis win32codecs wmf x86 xft xml xorg xpm xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="synaptics mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="vesa fbdev intel"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-06-25 19:48:03 UTC
fauli: you ignored the warning at the top of the src_test block:
ewarn "You should retest with FEATURES=userpriv!"
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-26 11:14:57 UTC
It still fails with all USE flags enabled, else it runs fine with FEATURES=userpriv...should I attach the build.log?
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-06-26 18:53:15 UTC
fauli: looks like I need to make even more of it depend on FEATURES=userpriv being used.

Since it works w/ FEATURES=userpriv and all the USE flags together, you can mark stable in the meantime, i'll tweak the ebuild to require userpriv shortly.
Comment 10 Tobias Klausmann gentoo-dev 2009-06-26 20:08:30 UTC
Stable on alpha.
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-26 21:23:51 UTC
amd64 stable
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-27 09:34:57 UTC
x86 stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2009-06-27 13:30:11 UTC
ppc64 done
Comment 14 Brent Baude (RETIRED) gentoo-dev 2009-06-27 13:30:18 UTC
ppc done
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2009-06-30 13:33:57 UTC
arm/ia64/s390/sh/sparc stable
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 13:27:46 UTC
i vote YES
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-10 18:02:55 UTC
YES, too. Request filed.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2009-07-12 17:48:36 UTC
GLSA 200907-05