Some vulnerabilities have been reported in GIT, which can potentially
be exploited by malicious people to compromise a user's system.
The vulnerabilities are caused due to boundary errors in various
functions when processing overly long repository pathnames. These can
be exploited to cause stack-based buffer overflows by tricking a user
into running e.g. "git-diff" or "git-grep" against a repository
containing pathnames that are larger than the "PATH_MAX" value on the
Successful exploitation may allow execution of arbitrary code.
The vulnerabilities are reported in version 220.127.116.11. Prior versions
may also be affected.
Update to version 18.104.22.168.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
We have 22.214.171.124 in the tree, is it ready for stabling?
yup, you can ask arches to stable it. There's a pending HPPA issue that's much older however, due to a GCC bug.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Sparc stable (about 3 weeks early, but OK for security bug). There are certainly a lot of old versions of this floating around in the tree. :)
If you run into problems with testcases, make sure you have FEATURES=userpriv first of all, and on 64-bit userspace big-endian boxes, there's also a false positive in t0040 at the moment, that upstream should be including in the next release, 126.96.36.199 (not out yet).
(In reply to comment #2)
> yup, you can ask arches to stable it. There's a pending HPPA issue that's much
> older however, due to a GCC bug.
Has it been solved in the meanwhile, or is there a bug # to track it? It's the only arch left before we move to [glsa]
Stable for HPPA. The branching issue in HPPA's compiler was fixed half a year ago, and toolchain hasn't promised any new (working) gcc versions or even a revision.
glsa request filed.