458146 – (CVE-2008-3546) CVE-2008-3546 git: Pathname Processing Multiple Buffer Overflows

Bug 458146 (CVE-2008-3546) - CVE-2008-3546 git: Pathname Processing Multiple Buffer Overflows

Summary: CVE-2008-3546 git: Pathname Processing Multiple Buffer Overflows

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-3546
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-08-06 17:24 UTC by Tomas Hoger
Modified:	2013-01-10 10:25 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-03-29 09:42:51 UTC
Embargoed:

Attachments	(Terms of Use)

Description Tomas Hoger 2008-08-06 17:24:06 UTC

Secunia reports:

Some vulnerabilities have been reported in GIT, which can potentially be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to boundary errors in various functions when processing overly long repository pathnames. These can be exploited to cause stack-based buffer overflows by tricking a user into running e.g. "git-diff" or "git-grep" against a repository containing pathnames that are larger than the "PATH_MAX" value on the user's system.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in version 1.5.6.3. Prior versions may also be affected.

Solution: Update to version 1.5.6.4.

Upstream patch:
http://kerneltrap.org/mailarchive/git/2008/7/16/2529284

References:
http://secunia.com/advisories/31347/
http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.5.6.4.txt

Comment 1 Tomas Hoger 2008-08-07 07:00:47 UTC

Looking at the patch, problem that was addressed was:

  char concatpath[PATH_MAX];

  sprintf(concatpath, "%s%s", base, path);

However, this overflow is caught by FORTIFY_SOURCE.  RPMs are compiled with -D_FORTIFY_SOURCE=2 on Red Hat Enterprise Linux 5 and later.  So on all current Fedora versions and EPEL5, overflow is detected before it happens and command execution is terminated.   EPEL4 does not seem to use FORTIFY_SOURCE by default, so this can only be a concern there.

On Fedora, this is only DoS, but I don't think such DoS needs to be treated as security sensitive.

Comment 2 Tomas Hoger 2008-08-07 10:16:03 UTC

http://git.kernel.org/?p=git/git.git;a=commitdiff;h=fd55a19eb1d49ae54008d932a65f79cd6fda45c9

Comment 3 Tomas Hoger 2008-08-08 06:53:56 UTC

CVE id CVE-2008-3546 was assigned to this issue:

Stack-based buffer overflow in the (1) diff_addremove and (2)
diff_change functions in GIT before 1.5.6.4 might allow local users to
execute arbitrary code via a PATH whose length is larger than the
system's PATH_MAX when running GIT utilities such as git-diff or
git-grep.

Comment 4 Tomas Hoger 2008-08-13 16:46:32 UTC

Nico Golde pointed out two more related changesets:

http://git.kernel.org/?p=git/git.git;a=commitdiff;h=f66cf96
http://git.kernel.org/?p=git/git.git;a=commitdiff;h=620e2bb

Comment 5 Fedora Update System 2008-10-22 12:51:51 UTC

git-1.5.6.5-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/git-1.5.6.5-1.fc9

Comment 6 Fedora Update System 2008-10-23 16:40:30 UTC

git-1.5.6.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.