Bug 458146 (CVE-2008-3546) - CVE-2008-3546 git: Pathname Processing Multiple Buffer Overflows
Summary: CVE-2008-3546 git: Pathname Processing Multiple Buffer Overflows
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-3546
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-06 17:24 UTC by Tomas Hoger
Modified: 2013-01-10 10:25 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-03-29 09:42:51 UTC
Embargoed:


Attachments (Terms of Use)

Description Tomas Hoger 2008-08-06 17:24:06 UTC
Secunia reports:

Some vulnerabilities have been reported in GIT, which can potentially be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to boundary errors in various functions when processing overly long repository pathnames. These can be exploited to cause stack-based buffer overflows by tricking a user into running e.g. "git-diff" or "git-grep" against a repository containing pathnames that are larger than the "PATH_MAX" value on the user's system.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in version 1.5.6.3. Prior versions may also be affected.

Solution: Update to version 1.5.6.4.

Upstream patch:
http://kerneltrap.org/mailarchive/git/2008/7/16/2529284

References:
http://secunia.com/advisories/31347/
http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.5.6.4.txt

Comment 1 Tomas Hoger 2008-08-07 07:00:47 UTC
Looking at the patch, problem that was addressed was:

  char concatpath[PATH_MAX];

  sprintf(concatpath, "%s%s", base, path);

However, this overflow is caught by FORTIFY_SOURCE.  RPMs are compiled with -D_FORTIFY_SOURCE=2 on Red Hat Enterprise Linux 5 and later.  So on all current Fedora versions and EPEL5, overflow is detected before it happens and command execution is terminated.   EPEL4 does not seem to use FORTIFY_SOURCE by default, so this can only be a concern there.

On Fedora, this is only DoS, but I don't think such DoS needs to be treated as security sensitive.

Comment 3 Tomas Hoger 2008-08-08 06:53:56 UTC
CVE id CVE-2008-3546 was assigned to this issue:

Stack-based buffer overflow in the (1) diff_addremove and (2)
diff_change functions in GIT before 1.5.6.4 might allow local users to
execute arbitrary code via a PATH whose length is larger than the
system's PATH_MAX when running GIT utilities such as git-diff or
git-grep.

Comment 4 Tomas Hoger 2008-08-13 16:46:32 UTC
Nico Golde pointed out two more related changesets:

http://git.kernel.org/?p=git/git.git;a=commitdiff;h=f66cf96
http://git.kernel.org/?p=git/git.git;a=commitdiff;h=620e2bb

Comment 5 Fedora Update System 2008-10-22 12:51:51 UTC
git-1.5.6.5-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/git-1.5.6.5-1.fc9

Comment 6 Fedora Update System 2008-10-23 16:40:30 UTC
git-1.5.6.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.