This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 505761 - (CVE-2009-2108) CVE-2009-2108 git daemon Denial of Service with unknown "extra arg" information
CVE-2009-2108 git daemon Denial of Service with unknown "extra arg" information
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: git (Show other bugs)
rawhide
All Linux
low Severity high
: ---
: ---
Assigned To: Todd Zullinger
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-13 11:34 EDT by Todd Zullinger
Modified: 2013-01-10 05:33 EST (History)
5 users (show)

See Also:
Fixed In Version: 1.6.0.6-4.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-24 15:17:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Todd Zullinger 2009-06-13 11:34:31 EDT
A bug in present in git-daemon since 1.4.4.5 can cause a denial of service by sending the git-daemon process into an infinite loop.  This is discussed in the git list thread starting at:

    http://thread.gmane.org/gmane.comp.version-control.git/120724

The fix was applied the maint branch and can be seen at:

    http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9

I posted about this to fedora-security-list a day or so ago:

    http://www.redhat.com/archives/fedora-security-list/2009-June/msg00000.html

Of the active Fedora/EPEL branches, only devel and F-11 are recent
enough for this to apply cleanly.  The other branches required a small
amount of reworking to account for changes made to git-daemon since
the releases those branches were based upon.  I don't think the
backporting is all that difficult, but I am not a strong C coder.  Any
extra eyes on my backported patches would be most helpful.

A simple way to test this against a git server, taken from the initial
patch in the git list thread above:

$ perl -e '
    $s="git-upload-pack git\0user=me\0host=localhost\0";
    printf "%4.4x%s",4+length $s,$s
' | nc $GITHOST 9418 # or git-daemon --inetd --base-path=`pwd` --export-all

This will cause the git-daemon process spawned via xinetd to enter an
infinite loop.  New requests will still be handled, as xinetd will
spawn a new git-daemon process.  But, of course, an attacker can
easily cause many git-daemon processes to be started that will not
exit.

I've created patched packages with the backported patch for EL-{4,5}
and F-10 (F-9 is in sync with F-10, so the same spec/srpm should work
there).  These packages and patches against current CVS are at:

    http://tmz.fedorapeople.org/tmp/git-daemon-extra-args/

(Apologies for the minor non-related changes in some of the diffs, as
those were changes I had slated for release soon and didn't want to
revert at the last minute.)
Comment 1 Tomas Hoger 2009-06-19 02:06:47 EDT
CVE-2009-2108:
git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to
cause a denial of service (infinite loop and CPU consumption) via a
request containing extra unrecognized arguments.
Comment 2 Fedora Update System 2009-06-19 22:16:01 EDT
git-1.6.2.5-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/git-1.6.2.5-1.fc11
Comment 3 Fedora Update System 2009-06-19 22:22:32 EDT
git-1.6.0.6-4.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/git-1.6.0.6-4.fc10
Comment 4 Fedora Update System 2009-06-19 22:24:15 EDT
git-1.6.0.6-4.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/git-1.6.0.6-4.fc9
Comment 5 Fedora Update System 2009-06-24 15:17:06 EDT
git-1.6.0.6-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2009-06-24 15:19:11 EDT
git-1.6.2.5-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-06-24 15:28:15 EDT
git-1.6.0.6-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.