Secunia writes: Some vulnerabilities have been reported in GIT, which can potentially be exploited by malicious people to compromise a user's system. The vulnerabilities are caused due to boundary errors in various functions when processing overly long repository pathnames. These can be exploited to cause stack-based buffer overflows by tricking a user into running e.g. "git-diff" or "git-grep" against a repository containing pathnames that are larger than the "PATH_MAX" value on the user's system. Successful exploitation may allow execution of arbitrary code. The vulnerabilities are reported in version 1.5.6.3. Prior versions may also be affected. SOLUTION: Update to version 1.5.6.4. http://www.kernel.org/pub/software/scm/git/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.5.6.4.txt http://kerneltrap.org/mailarchive/git/2008/7/16/2529284
We have 1.5.6.4 in the tree, is it ready for stabling?
yup, you can ask arches to stable it. There's a pending HPPA issue that's much older however, due to a GCC bug.
Arches, please test and mark stable: =dev-util/git-1.5.6.4 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Sparc stable (about 3 weeks early, but OK for security bug). There are certainly a lot of old versions of this floating around in the tree. :)
amd64 stable
ppc64 stable
x86 stable
If you run into problems with testcases, make sure you have FEATURES=userpriv first of all, and on 64-bit userspace big-endian boxes, there's also a false positive in t0040 at the moment, that upstream should be including in the next release, 1.5.6.6 (not out yet).
alpha/ia64 stable
ppc stable
(In reply to comment #2) > yup, you can ask arches to stable it. There's a pending HPPA issue that's much > older however, due to a GCC bug. > Has it been solved in the meanwhile, or is there a bug # to track it? It's the only arch left before we move to [glsa]
Stable for HPPA. The branching issue in HPPA's compiler was fixed half a year ago, and toolchain hasn't promised any new (working) gcc versions or even a revision.
glsa request filed.
GLSA 200809-16