Red Hat Bugzilla – Bug 458146
CVE-2008-3546 git: Pathname Processing Multiple Buffer Overflows
Last modified: 2013-01-10 05:25:36 EST
Some vulnerabilities have been reported in GIT, which can potentially be exploited by malicious people to compromise a user's system.
The vulnerabilities are caused due to boundary errors in various functions when processing overly long repository pathnames. These can be exploited to cause stack-based buffer overflows by tricking a user into running e.g. "git-diff" or "git-grep" against a repository containing pathnames that are larger than the "PATH_MAX" value on the user's system.
Successful exploitation may allow execution of arbitrary code.
The vulnerabilities are reported in version 188.8.131.52. Prior versions may also be affected.
Solution: Update to version 184.108.40.206.
Looking at the patch, problem that was addressed was:
sprintf(concatpath, "%s%s", base, path);
However, this overflow is caught by FORTIFY_SOURCE. RPMs are compiled with -D_FORTIFY_SOURCE=2 on Red Hat Enterprise Linux 5 and later. So on all current Fedora versions and EPEL5, overflow is detected before it happens and command execution is terminated. EPEL4 does not seem to use FORTIFY_SOURCE by default, so this can only be a concern there.
On Fedora, this is only DoS, but I don't think such DoS needs to be treated as security sensitive.
CVE id CVE-2008-3546 was assigned to this issue:
Stack-based buffer overflow in the (1) diff_addremove and (2)
diff_change functions in GIT before 220.127.116.11 might allow local users to
execute arbitrary code via a PATH whose length is larger than the
system's PATH_MAX when running GIT utilities such as git-diff or
Nico Golde pointed out two more related changesets:
git-18.104.22.168-1.fc9 has been submitted as an update for Fedora 9.
git-22.214.171.124-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.