Bug 458146 (CVE-2008-3546)

Summary: CVE-2008-3546 git: Pathname Processing Multiple Buffer Overflows
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bkearney, chrisw, jwboyer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 09:42:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-08-06 17:24:06 UTC 
Secunia reports:

Some vulnerabilities have been reported in GIT, which can potentially be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to boundary errors in various functions when processing overly long repository pathnames. These can be exploited to cause stack-based buffer overflows by tricking a user into running e.g. "git-diff" or "git-grep" against a repository containing pathnames that are larger than the "PATH_MAX" value on the user's system.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in version 1.5.6.3. Prior versions may also be affected.

Solution: Update to version 1.5.6.4.

Upstream patch:
http://kerneltrap.org/mailarchive/git/2008/7/16/2529284

References:
http://secunia.com/advisories/31347/
http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.5.6.4.txt
Comment 1 Tomas Hoger 2008-08-07 07:00:47 UTC 
Looking at the patch, problem that was addressed was:

  char concatpath[PATH_MAX];

  sprintf(concatpath, "%s%s", base, path);

However, this overflow is caught by FORTIFY_SOURCE.  RPMs are compiled with -D_FORTIFY_SOURCE=2 on Red Hat Enterprise Linux 5 and later.  So on all current Fedora versions and EPEL5, overflow is detected before it happens and command execution is terminated.   EPEL4 does not seem to use FORTIFY_SOURCE by default, so this can only be a concern there.

On Fedora, this is only DoS, but I don't think such DoS needs to be treated as security sensitive.
Comment 2 Tomas Hoger 2008-08-07 10:16:03 UTC 
http://git.kernel.org/?p=git/git.git;a=commitdiff;h=fd55a19eb1d49ae54008d932a65f79cd6fda45c9
Comment 3 Tomas Hoger 2008-08-08 06:53:56 UTC 
CVE id CVE-2008-3546 was assigned to this issue:

Stack-based buffer overflow in the (1) diff_addremove and (2)
diff_change functions in GIT before 1.5.6.4 might allow local users to
execute arbitrary code via a PATH whose length is larger than the
system's PATH_MAX when running GIT utilities such as git-diff or
git-grep.
Comment 4 Tomas Hoger 2008-08-13 16:46:32 UTC 
Nico Golde pointed out two more related changesets:

http://git.kernel.org/?p=git/git.git;a=commitdiff;h=f66cf96
http://git.kernel.org/?p=git/git.git;a=commitdiff;h=620e2bb
Comment 5 Fedora Update System 2008-10-22 12:51:51 UTC 
git-1.5.6.5-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/git-1.5.6.5-1.fc9
Comment 6 Fedora Update System 2008-10-23 16:40:30 UTC 
git-1.5.6.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.