Bug 618108 - (CVE-2010-2542) CVE-2010-2542 Git: Arbitrary code execution via specially-crafted .git file
CVE-2010-2542 Git: Arbitrary code execution via specially-crafted .git file
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20100720,reported=20100722,sou...
: Security
Depends On: 617422 618112 637953
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-26 03:03 EDT by Jan Lieskovsky
Modified: 2015-10-15 17:13 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-10 07:02:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-07-26 03:03:02 EDT
A buffer overrun was found in the way Git sanitized path of a git directory.
If a local attacker would create a specially-crafted working copy and trick
the local user into running any git command, it could lead to arbitrary
code execution with the privileges of the user running the Git command.

References:
  [1] http://seclists.org/oss-sec/2010/q3/93
  [2] https://bugzilla.redhat.com/show_bug.cgi?id=617422

Upstream patches:
  [3] http://git.kernel.org/?p=git/git.git;a=commitdiff;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc;hp=c173dad58787a7f11a526dbcdaa5a2fe9ff1c87f
  [4] http://git.kernel.org/?p=git/git.git;a=commitdiff;h=b44ebb19e3234c5dffe9869ceac5408bb44c2e20;hp=2a5fe2545882721d6841bad11dae0f15b454bf0d
Comment 2 Jan Lieskovsky 2010-07-26 03:09:03 EDT
This issue has been addressed in the current versions of the git
package, present in Fedora -testing repository (git-1.7.2-1.fc1{2,3,4}).
Comment 3 Vincent Danen 2010-09-27 16:39:05 EDT
Created cgit tracking bugs for this issue

Affects: fedora-all [bug 637953]
Comment 4 Vincent Danen 2010-09-27 16:41:07 EDT
This affects the current version of cgit as found in Fedora.  Upstream has released a new version of cgit (0.8.3.4) that includes git 1.7.3 to correct this issue:

http://hjemli.net/git/cgit/commit/?h=v0.8.3.4&id=82a883ede7e47616aba041a5eb36e08666ef9177

(I'm not sure if it's possible to make cgit use the system git, but it should probably be explored).
Comment 5 Todd Zullinger 2010-09-27 18:07:37 EDT
(In reply to comment #4)
> This affects the current version of cgit as found in Fedora.  Upstream has
> released a new version of cgit (0.8.3.4) that includes git 1.7.3 to correct
> this issue:
> 
> http://hjemli.net/git/cgit/commit/?h=v0.8.3.4&id=82a883ede7e47616aba041a5eb36e08666ef9177

I saw the cgit announcement earlier.  I will update cgit tonight or tomorrow morning.

> (I'm not sure if it's possible to make cgit use the system git, but it should
> probably be explored).

This was discussed prior to introducing cgit in Fedora and it's not something we can do.  Git doesn't provide any library interface.  Cgit would have to be incorporated into git or git would have to grow a stable library interface.  Neither of which seem imminent, unfortunately.  Eventually, libgit2 may reach a point where it can be used, but that also isn't near-term.
Comment 6 Todd Zullinger 2010-09-27 19:49:05 EDT
I applied the 2 line patch to git rather that bump cgit from 0.8.2.1 to 0.8.3.4 to fix this issue in F-1{2..4} and EL-{5,6}.  That way I can update to 0.8.3.4 and let it receive some time in updates-testing without keeping users vulnerable.
Comment 7 Vincent Danen 2010-09-28 13:41:36 EDT
Thanks for that, Todd.  And for the explanation as well.  Makes sense, but we'll have to keep this in mind for future git issues that come up as well.
Comment 8 Todd Zullinger 2010-09-28 13:54:04 EDT
Yes, indeed.  It's certainly a less than ideal situation, for exactly this sort of issue.

And thank you for helping keep us more secure.

Note You need to log in before you can comment on or make changes to this bug.