Bug 618108 (CVE-2010-2542)

Summary: CVE-2010-2542 Git: Arbitrary code execution via specially-crafted .git file
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: atkac, bkearney, chrisw, jwboyer, npajkovs, tmz, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-10 12:02:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 617422, 618112, 637953    
Bug Blocks:    

Description Jan Lieskovsky 2010-07-26 07:03:02 UTC 
A buffer overrun was found in the way Git sanitized path of a git directory.
If a local attacker would create a specially-crafted working copy and trick
the local user into running any git command, it could lead to arbitrary
code execution with the privileges of the user running the Git command.

References:
  [1] http://seclists.org/oss-sec/2010/q3/93
  [2] https://bugzilla.redhat.com/show_bug.cgi?id=617422

Upstream patches:
  [3] http://git.kernel.org/?p=git/git.git;a=commitdiff;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc;hp=c173dad58787a7f11a526dbcdaa5a2fe9ff1c87f
  [4] http://git.kernel.org/?p=git/git.git;a=commitdiff;h=b44ebb19e3234c5dffe9869ceac5408bb44c2e20;hp=2a5fe2545882721d6841bad11dae0f15b454bf0d
Comment 2 Jan Lieskovsky 2010-07-26 07:09:03 UTC 
This issue has been addressed in the current versions of the git
package, present in Fedora -testing repository (git-1.7.2-1.fc1{2,3,4}).
Comment 3 Vincent Danen 2010-09-27 20:39:05 UTC 
Created cgit tracking bugs for this issue

Affects: fedora-all [bug 637953]
Comment 4 Vincent Danen 2010-09-27 20:41:07 UTC 
This affects the current version of cgit as found in Fedora.  Upstream has released a new version of cgit (0.8.3.4) that includes git 1.7.3 to correct this issue:

http://hjemli.net/git/cgit/commit/?h=v0.8.3.4&id=82a883ede7e47616aba041a5eb36e08666ef9177

(I'm not sure if it's possible to make cgit use the system git, but it should probably be explored).
Comment 5 Todd Zullinger 2010-09-27 22:07:37 UTC 
(In reply to comment #4)
> This affects the current version of cgit as found in Fedora.  Upstream has
> released a new version of cgit (0.8.3.4) that includes git 1.7.3 to correct
> this issue:
> 
> http://hjemli.net/git/cgit/commit/?h=v0.8.3.4&id=82a883ede7e47616aba041a5eb36e08666ef9177

I saw the cgit announcement earlier.  I will update cgit tonight or tomorrow morning.

> (I'm not sure if it's possible to make cgit use the system git, but it should
> probably be explored).

This was discussed prior to introducing cgit in Fedora and it's not something we can do.  Git doesn't provide any library interface.  Cgit would have to be incorporated into git or git would have to grow a stable library interface.  Neither of which seem imminent, unfortunately.  Eventually, libgit2 may reach a point where it can be used, but that also isn't near-term.
Comment 6 Todd Zullinger 2010-09-27 23:49:05 UTC 
I applied the 2 line patch to git rather that bump cgit from 0.8.2.1 to 0.8.3.4 to fix this issue in F-1{2..4} and EL-{5,6}.  That way I can update to 0.8.3.4 and let it receive some time in updates-testing without keeping users vulnerable.
Comment 7 Vincent Danen 2010-09-28 17:41:36 UTC 
Thanks for that, Todd.  And for the explanation as well.  Makes sense, but we'll have to keep this in mind for future git issues that come up as well.
Comment 8 Todd Zullinger 2010-09-28 17:54:04 UTC 
Yes, indeed.  It's certainly a less than ideal situation, for exactly this sort of issue.

And thank you for helping keep us more secure.