Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 634342 (CVE-2017-15298)

Summary: dev-vcs/git: denial of service via crafted repository
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: minor CC: polynomial-c, robbat2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [upstream cve]
Package list:
Runtime testing required: ---

Description Aleksandr Wagner (Kivak) 2017-10-15 14:55:39 UTC 
CVE-2017-15298 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15298):

Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk. 

References:

https://github.com/Katee/git-bomb
https://kate.io/blog/git-bomb/