Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 234075 (CVE-2008-3546) - dev-util/git < PATH_MAX Stack-based buffer overflow (CVE-2008-3546)
Summary: dev-util/git < PATH_MAX Stack-based buffer overflow (CVE-2008-3546)
Alias: CVE-2008-3546
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2008-08-06 11:41 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-09 19:04 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 11:41:36 UTC
Secunia writes:
Some vulnerabilities have been reported in GIT, which can potentially
be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to boundary errors in various
functions when processing overly long repository pathnames. These can
be exploited to cause stack-based buffer overflows by tricking a user
into running e.g. "git-diff" or "git-grep" against a repository
containing pathnames that are larger than the "PATH_MAX" value on the
user's system.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in version Prior versions
may also be affected.

Update to version

Reported by the vendor.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 11:55:40 UTC
We have in the tree, is it ready for stabling?
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-08-06 19:08:02 UTC
yup, you can ask arches to stable it. There's a pending HPPA issue that's much older however, due to a GCC bug.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 21:20:42 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2008-08-06 22:30:16 UTC
Sparc stable (about 3 weeks early, but OK for security bug).  There are certainly a lot of old versions of this floating around in the tree. :)
Comment 5 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2008-08-07 00:16:55 UTC
amd64 stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2008-08-07 05:26:09 UTC
ppc64 stable
Comment 7 Markus Meier gentoo-dev 2008-08-07 21:43:39 UTC
x86 stable
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-08-07 22:02:41 UTC
If  you run into problems with testcases, make sure you have FEATURES=userpriv first of all, and on 64-bit userspace big-endian boxes, there's also a false positive in t0040 at the moment, that upstream should be including in the next release, (not out yet).
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-08-08 16:38:57 UTC
alpha/ia64 stable
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-08-08 20:09:00 UTC
ppc stable
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-08-28 19:21:25 UTC
(In reply to comment #2)
> yup, you can ask arches to stable it. There's a pending HPPA issue that's much
> older however, due to a GCC bug.
Has it been solved in the meanwhile, or is there a bug # to track it? It's the only arch left before we move to [glsa]
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-16 22:22:32 UTC
Stable for HPPA. The branching issue in HPPA's compiler was fixed half a year ago, and toolchain hasn't promised any new (working) gcc versions or even a revision.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-21 11:14:09 UTC
glsa request filed.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-25 21:15:41 UTC
GLSA 200809-16