A bug in present in git-daemon since 1.4.4.5 can cause a denial of service by sending the git-daemon process into an infinite loop. This is discussed in the git list thread starting at: http://thread.gmane.org/gmane.comp.version-control.git/120724 The fix was applied the maint branch and can be seen at: http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9 I posted about this to fedora-security-list a day or so ago: http://www.redhat.com/archives/fedora-security-list/2009-June/msg00000.html Of the active Fedora/EPEL branches, only devel and F-11 are recent enough for this to apply cleanly. The other branches required a small amount of reworking to account for changes made to git-daemon since the releases those branches were based upon. I don't think the backporting is all that difficult, but I am not a strong C coder. Any extra eyes on my backported patches would be most helpful. A simple way to test this against a git server, taken from the initial patch in the git list thread above: $ perl -e ' $s="git-upload-pack git\0user=me\0host=localhost\0"; printf "%4.4x%s",4+length $s,$s ' | nc $GITHOST 9418 # or git-daemon --inetd --base-path=`pwd` --export-all This will cause the git-daemon process spawned via xinetd to enter an infinite loop. New requests will still be handled, as xinetd will spawn a new git-daemon process. But, of course, an attacker can easily cause many git-daemon processes to be started that will not exit. I've created patched packages with the backported patch for EL-{4,5} and F-10 (F-9 is in sync with F-10, so the same spec/srpm should work there). These packages and patches against current CVS are at: http://tmz.fedorapeople.org/tmp/git-daemon-extra-args/ (Apologies for the minor non-related changes in some of the diffs, as those were changes I had slated for release soon and didn't want to revert at the last minute.)
CVE-2009-2108: git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a request containing extra unrecognized arguments.
git-1.6.2.5-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/git-1.6.2.5-1.fc11
git-1.6.0.6-4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/git-1.6.0.6-4.fc10
git-1.6.0.6-4.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/git-1.6.0.6-4.fc9
git-1.6.0.6-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
git-1.6.2.5-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
git-1.6.0.6-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.