A buffer overrun was found in the way Git sanitized path of a git directory. If a local attacker would create a specially-crafted working copy and trick the local user into running any git command, it could lead to arbitrary code execution with the privileges of the user running the Git command. References: [1] http://seclists.org/oss-sec/2010/q3/93 [2] https://bugzilla.redhat.com/show_bug.cgi?id=617422 Upstream patches: [3] http://git.kernel.org/?p=git/git.git;a=commitdiff;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc;hp=c173dad58787a7f11a526dbcdaa5a2fe9ff1c87f [4] http://git.kernel.org/?p=git/git.git;a=commitdiff;h=b44ebb19e3234c5dffe9869ceac5408bb44c2e20;hp=2a5fe2545882721d6841bad11dae0f15b454bf0d
This issue has been addressed in the current versions of the git package, present in Fedora -testing repository (git-1.7.2-1.fc1{2,3,4}).
Created cgit tracking bugs for this issue Affects: fedora-all [bug 637953]
This affects the current version of cgit as found in Fedora. Upstream has released a new version of cgit (0.8.3.4) that includes git 1.7.3 to correct this issue: http://hjemli.net/git/cgit/commit/?h=v0.8.3.4&id=82a883ede7e47616aba041a5eb36e08666ef9177 (I'm not sure if it's possible to make cgit use the system git, but it should probably be explored).
(In reply to comment #4) > This affects the current version of cgit as found in Fedora. Upstream has > released a new version of cgit (0.8.3.4) that includes git 1.7.3 to correct > this issue: > > http://hjemli.net/git/cgit/commit/?h=v0.8.3.4&id=82a883ede7e47616aba041a5eb36e08666ef9177 I saw the cgit announcement earlier. I will update cgit tonight or tomorrow morning. > (I'm not sure if it's possible to make cgit use the system git, but it should > probably be explored). This was discussed prior to introducing cgit in Fedora and it's not something we can do. Git doesn't provide any library interface. Cgit would have to be incorporated into git or git would have to grow a stable library interface. Neither of which seem imminent, unfortunately. Eventually, libgit2 may reach a point where it can be used, but that also isn't near-term.
I applied the 2 line patch to git rather that bump cgit from 0.8.2.1 to 0.8.3.4 to fix this issue in F-1{2..4} and EL-{5,6}. That way I can update to 0.8.3.4 and let it receive some time in updates-testing without keeping users vulnerable.
Thanks for that, Todd. And for the explanation as well. Makes sense, but we'll have to keep this in mind for future git issues that come up as well.
Yes, indeed. It's certainly a less than ideal situation, for exactly this sort of issue. And thank you for helping keep us more secure.