Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 601984 (CVE-2016-2324) - <dev-vcs/git-2.7.4: server and client side remote code execution through a buffer overflow (CVE-2016-{2315,2324})
Summary: <dev-vcs/git-2.7.4: server and client side remote code execution through a bu...
Status: RESOLVED INVALID
Alias: CVE-2016-2324
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2016/q1/653
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-08 14:01 UTC by Jonas Stein
Modified: 2017-02-14 19:06 UTC (History)
2 users (show)

See Also:
Package list:
=dev-vcs/git-2.10.2
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jonas Stein gentoo-dev 2016-12-08 14:01:49 UTC
http://seclists.org/oss-sec/2016/q1/645

I am not sure, if https://bugs.gentoo.org/show_bug.cgi?id=577482 fixes both.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-12-08 14:52:54 UTC
Thank you for filing this bug! Old, but Gentoo stable is still affected.

This vulnerability is public, no need to restrict access.

Fixed by upstream in v2.7.4 which is already in tree.


@ Maintainer(s): We need to stabilize at least =dev-vcs/git-2.7.4. But maybe we can stabilize a newer version, i.e. the whole path_name thing was removed in 2.8.x...
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2016-12-09 16:42:23 UTC
Arches please test and mark stable =dev-vcs/git-2.10.2 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Comment 3 Tobias Klausmann gentoo-dev 2016-12-09 19:01:11 UTC
Stable on alpha.
Comment 4 Lars Wendler (Polynomial-C) gentoo-dev 2016-12-12 10:58:28 UTC
commit 8fd404063dfb0aa99dd28019ee8979aec9f03ad3
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Dec 12 11:57:41 2016

    dev-vcs/git: Stable for amd64 and x86 (bug #601984).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
    RepoMan-Options: --include-arches="amd64,x86"
Comment 5 Markus Meier gentoo-dev 2016-12-17 15:36:33 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-19 14:42:00 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-19 15:17:57 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-20 09:51:21 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-22 09:39:45 UTC
ppc64 stable
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-02 08:27:53 UTC
hppa ping
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-20 05:18:13 UTC
Stable for HPPA.
Comment 12 Thomas Deutschmann gentoo-dev Security 2017-01-30 01:25:33 UTC
New GLSA request filed.


@ Maintainer(s): Please cleanup and drop at least <dev-vcs/git-2.7.4!
Comment 13 Thomas Deutschmann gentoo-dev Security 2017-02-14 19:06:58 UTC
Freeing CVE alias. CVE-2016-2315 was already addressed in bug 577482 and GLSA 201605-01 but probably nobody noticed (well, Jonas set "See also") due to the encoding of the alias (UTF-8 dash).

I'll finally close this bug as INVALID: While git-2.7.4 was first upstream release containing fixes for both vulnerabilities, CVE-2016-2315 was already addressed in bug 577482 like said above and the remaining vulnerability CVE-2016-2324 never affected Gentoo:
CVE-2016-2324 is about a flaw in path_name function which was already removed by the bug fix for CVE-2016-2315 (bug 577482), see https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9af1e5cffa8122cf3b7c66a2a8291fafcd60c121.