Bug 458146 – CVE-2008-3546 git: Pathname Processing Multiple Buffer Overflows

Bug 458146 - (CVE-2008-3546) CVE-2008-3546 git: Pathname Processing Multiple Buffer Overflows

Summary:	CVE-2008-3546 git: Pathname Processing Multiple Buffer Overflows

Status:	CLOSED ERRATA

Aliases:	CVE-2008-3546

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2008-08-06 13:24 EDT by Tomas Hoger
Modified:	2013-01-10 05:25 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-03-29 05:42:51 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Tomas Hoger 2008-08-06 13:24:06 EDT

Secunia reports:

Some vulnerabilities have been reported in GIT, which can potentially be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to boundary errors in various functions when processing overly long repository pathnames. These can be exploited to cause stack-based buffer overflows by tricking a user into running e.g. "git-diff" or "git-grep" against a repository containing pathnames that are larger than the "PATH_MAX" value on the user's system.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in version 1.5.6.3. Prior versions may also be affected.

Solution: Update to version 1.5.6.4.

Upstream patch:
http://kerneltrap.org/mailarchive/git/2008/7/16/2529284

References:
http://secunia.com/advisories/31347/
http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.5.6.4.txt

Comment 1 Tomas Hoger 2008-08-07 03:00:47 EDT

Looking at the patch, problem that was addressed was:

  char concatpath[PATH_MAX];

  sprintf(concatpath, "%s%s", base, path);

However, this overflow is caught by FORTIFY_SOURCE.  RPMs are compiled with -D_FORTIFY_SOURCE=2 on Red Hat Enterprise Linux 5 and later.  So on all current Fedora versions and EPEL5, overflow is detected before it happens and command execution is terminated.   EPEL4 does not seem to use FORTIFY_SOURCE by default, so this can only be a concern there.

On Fedora, this is only DoS, but I don't think such DoS needs to be treated as security sensitive.

Comment 2 Tomas Hoger 2008-08-07 06:16:03 EDT

http://git.kernel.org/?p=git/git.git;a=commitdiff;h=fd55a19eb1d49ae54008d932a65f79cd6fda45c9

Comment 3 Tomas Hoger 2008-08-08 02:53:56 EDT

CVE id CVE-2008-3546 was assigned to this issue:

Stack-based buffer overflow in the (1) diff_addremove and (2)
diff_change functions in GIT before 1.5.6.4 might allow local users to
execute arbitrary code via a PATH whose length is larger than the
system's PATH_MAX when running GIT utilities such as git-diff or
git-grep.

Comment 4 Tomas Hoger 2008-08-13 12:46:32 EDT

Nico Golde pointed out two more related changesets:

http://git.kernel.org/?p=git/git.git;a=commitdiff;h=f66cf96
http://git.kernel.org/?p=git/git.git;a=commitdiff;h=620e2bb

Comment 5 Fedora Update System 2008-10-22 08:51:51 EDT

git-1.5.6.5-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/git-1.5.6.5-1.fc9

Comment 6 Fedora Update System 2008-10-23 12:40:30 EDT

git-1.5.6.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.