Bug 618108 (CVE-2010-2542) - CVE-2010-2542 Git: Arbitrary code execution via specially-crafted .git file
Summary: CVE-2010-2542 Git: Arbitrary code execution via specially-crafted .git file
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-2542
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 617422 618112 637953
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-26 07:03 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:38 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-10 12:02:40 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2010-07-26 07:03:02 UTC
A buffer overrun was found in the way Git sanitized path of a git directory.
If a local attacker would create a specially-crafted working copy and trick
the local user into running any git command, it could lead to arbitrary
code execution with the privileges of the user running the Git command.

References:
  [1] http://seclists.org/oss-sec/2010/q3/93
  [2] https://bugzilla.redhat.com/show_bug.cgi?id=617422

Upstream patches:
  [3] http://git.kernel.org/?p=git/git.git;a=commitdiff;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc;hp=c173dad58787a7f11a526dbcdaa5a2fe9ff1c87f
  [4] http://git.kernel.org/?p=git/git.git;a=commitdiff;h=b44ebb19e3234c5dffe9869ceac5408bb44c2e20;hp=2a5fe2545882721d6841bad11dae0f15b454bf0d

Comment 2 Jan Lieskovsky 2010-07-26 07:09:03 UTC
This issue has been addressed in the current versions of the git
package, present in Fedora -testing repository (git-1.7.2-1.fc1{2,3,4}).

Comment 3 Vincent Danen 2010-09-27 20:39:05 UTC
Created cgit tracking bugs for this issue

Affects: fedora-all [bug 637953]

Comment 4 Vincent Danen 2010-09-27 20:41:07 UTC
This affects the current version of cgit as found in Fedora.  Upstream has released a new version of cgit (0.8.3.4) that includes git 1.7.3 to correct this issue:

http://hjemli.net/git/cgit/commit/?h=v0.8.3.4&id=82a883ede7e47616aba041a5eb36e08666ef9177

(I'm not sure if it's possible to make cgit use the system git, but it should probably be explored).

Comment 5 Todd Zullinger 2010-09-27 22:07:37 UTC
(In reply to comment #4)
> This affects the current version of cgit as found in Fedora.  Upstream has
> released a new version of cgit (0.8.3.4) that includes git 1.7.3 to correct
> this issue:
> 
> http://hjemli.net/git/cgit/commit/?h=v0.8.3.4&id=82a883ede7e47616aba041a5eb36e08666ef9177

I saw the cgit announcement earlier.  I will update cgit tonight or tomorrow morning.

> (I'm not sure if it's possible to make cgit use the system git, but it should
> probably be explored).

This was discussed prior to introducing cgit in Fedora and it's not something we can do.  Git doesn't provide any library interface.  Cgit would have to be incorporated into git or git would have to grow a stable library interface.  Neither of which seem imminent, unfortunately.  Eventually, libgit2 may reach a point where it can be used, but that also isn't near-term.

Comment 6 Todd Zullinger 2010-09-27 23:49:05 UTC
I applied the 2 line patch to git rather that bump cgit from 0.8.2.1 to 0.8.3.4 to fix this issue in F-1{2..4} and EL-{5,6}.  That way I can update to 0.8.3.4 and let it receive some time in updates-testing without keeping users vulnerable.

Comment 7 Vincent Danen 2010-09-28 17:41:36 UTC
Thanks for that, Todd.  And for the explanation as well.  Makes sense, but we'll have to keep this in mind for future git issues that come up as well.

Comment 8 Todd Zullinger 2010-09-28 17:54:04 UTC
Yes, indeed.  It's certainly a less than ideal situation, for exactly this sort of issue.

And thank you for helping keep us more secure.


Note You need to log in before you can comment on or make changes to this bug.