This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 458146 - (CVE-2008-3546) CVE-2008-3546 git: Pathname Processing Multiple Buffer Overflows
CVE-2008-3546 git: Pathname Processing Multiple Buffer Overflows
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-06 13:24 EDT by Tomas Hoger
Modified: 2013-01-10 05:25 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-29 05:42:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-08-06 13:24:06 EDT
Secunia reports:

Some vulnerabilities have been reported in GIT, which can potentially be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to boundary errors in various functions when processing overly long repository pathnames. These can be exploited to cause stack-based buffer overflows by tricking a user into running e.g. "git-diff" or "git-grep" against a repository containing pathnames that are larger than the "PATH_MAX" value on the user's system.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in version 1.5.6.3. Prior versions may also be affected.

Solution: Update to version 1.5.6.4.

Upstream patch:
http://kerneltrap.org/mailarchive/git/2008/7/16/2529284

References:
http://secunia.com/advisories/31347/
http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.5.6.4.txt
Comment 1 Tomas Hoger 2008-08-07 03:00:47 EDT
Looking at the patch, problem that was addressed was:

  char concatpath[PATH_MAX];

  sprintf(concatpath, "%s%s", base, path);

However, this overflow is caught by FORTIFY_SOURCE.  RPMs are compiled with -D_FORTIFY_SOURCE=2 on Red Hat Enterprise Linux 5 and later.  So on all current Fedora versions and EPEL5, overflow is detected before it happens and command execution is terminated.   EPEL4 does not seem to use FORTIFY_SOURCE by default, so this can only be a concern there.

On Fedora, this is only DoS, but I don't think such DoS needs to be treated as security sensitive.
Comment 3 Tomas Hoger 2008-08-08 02:53:56 EDT
CVE id CVE-2008-3546 was assigned to this issue:

Stack-based buffer overflow in the (1) diff_addremove and (2)
diff_change functions in GIT before 1.5.6.4 might allow local users to
execute arbitrary code via a PATH whose length is larger than the
system's PATH_MAX when running GIT utilities such as git-diff or
git-grep.
Comment 4 Tomas Hoger 2008-08-13 12:46:32 EDT
Nico Golde pointed out two more related changesets:

http://git.kernel.org/?p=git/git.git;a=commitdiff;h=f66cf96
http://git.kernel.org/?p=git/git.git;a=commitdiff;h=620e2bb
Comment 5 Fedora Update System 2008-10-22 08:51:51 EDT
git-1.5.6.5-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/git-1.5.6.5-1.fc9
Comment 6 Fedora Update System 2008-10-23 12:40:30 EDT
git-1.5.6.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.