Bug 505761 (CVE-2009-2108)
| Summary: | CVE-2009-2108 git daemon Denial of Service with unknown "extra arg" information | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Todd Zullinger <tmz> |
| Component: | git | Assignee: | Todd Zullinger <tmz> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | bkearney, bressers, chrisw, jwboyer, tmz |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 1.6.0.6-4.fc10 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-06-24 19:17:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
CVE-2009-2108: git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a request containing extra unrecognized arguments. git-1.6.2.5-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/git-1.6.2.5-1.fc11 git-1.6.0.6-4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/git-1.6.0.6-4.fc10 git-1.6.0.6-4.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/git-1.6.0.6-4.fc9 git-1.6.0.6-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. git-1.6.2.5-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. git-1.6.0.6-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |
A bug in present in git-daemon since 1.4.4.5 can cause a denial of service by sending the git-daemon process into an infinite loop. This is discussed in the git list thread starting at: http://thread.gmane.org/gmane.comp.version-control.git/120724 The fix was applied the maint branch and can be seen at: http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9 I posted about this to fedora-security-list a day or so ago: http://www.redhat.com/archives/fedora-security-list/2009-June/msg00000.html Of the active Fedora/EPEL branches, only devel and F-11 are recent enough for this to apply cleanly. The other branches required a small amount of reworking to account for changes made to git-daemon since the releases those branches were based upon. I don't think the backporting is all that difficult, but I am not a strong C coder. Any extra eyes on my backported patches would be most helpful. A simple way to test this against a git server, taken from the initial patch in the git list thread above: $ perl -e ' $s="git-upload-pack git\0user=me\0host=localhost\0"; printf "%4.4x%s",4+length $s,$s ' | nc $GITHOST 9418 # or git-daemon --inetd --base-path=`pwd` --export-all This will cause the git-daemon process spawned via xinetd to enter an infinite loop. New requests will still be handled, as xinetd will spawn a new git-daemon process. But, of course, an attacker can easily cause many git-daemon processes to be started that will not exit. I've created patched packages with the backported patch for EL-{4,5} and F-10 (F-9 is in sync with F-10, so the same spec/srpm should work there). These packages and patches against current CVS are at: http://tmz.fedorapeople.org/tmp/git-daemon-extra-args/ (Apologies for the minor non-related changes in some of the diffs, as those were changes I had slated for release soon and didn't want to revert at the last minute.)