[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Intent to upload git-core to proposed-updates



Hi,
I'd like to upload a new git-core package to proposed-updates in order to fix 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590026.

This is a security issue but we don't plan to issue a DSA for this. Since 
Gerrit Pape is currently not available from what I know I prepared an NMU for 
s-p-u to fix this. Please let me know if I'm allowed to upload this.

debdiff attached.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
diff -u git-core-1.5.6.5/debian/changelog git-core-1.5.6.5/debian/changelog
--- git-core-1.5.6.5/debian/changelog
+++ git-core-1.5.6.5/debian/changelog
@@ -1,3 +1,12 @@
+git-core (1:1.5.6.5-3+lenny4.1) stable; urgency=high
+
+  * Non-maintainer upload.
+  * debian/diff/0009-CVE-2010-2542.diff:
+    new; fix stack-based buffer overflow in handling gitdir
+    paths (Closes: #590026).
+
+ -- Nico Golde <nion@debian.org>  Tue, 27 Jul 2010 15:44:10 +0000
+
 git-core (1:1.5.6.5-3+lenny3) stable-security; urgency=high
 
   * debian/diff/0008-git-cvsserver-allow-regex-metacharacters-...diff:
only in patch2:
unchanged:
--- git-core-1.5.6.5.orig/debian/diff/0009-CVE-2010-2542.diff
+++ git-core-1.5.6.5/debian/diff/0009-CVE-2010-2542.diff
@@ -0,0 +1,15 @@
+X-Git-Url: http://git.kernel.org/?p=git%2Fgit.git;a=blobdiff_plain;f=setup.c;h=3bb046118cb612b16f35fa016032d1486c6e7190;hp=0e4cfe603f1afe515365c9daf1ad8406de8e7fa8;hb=3c9d0414ed2db0167e6c828b547be8fc9f88fccc;hpb=c173dad58787a7f11a526dbcdaa5a2fe9ff1c87f
+
+diff --git a/setup.c b/setup.c
+index 0e4cfe6..3bb0461 100644
+--- a/setup.c
++++ b/setup.c
+@@ -170,6 +170,8 @@ static int is_git_directory(const char *suspect)
+ 	char path[PATH_MAX];
+ 	size_t len = strlen(suspect);
+ 
++	if (PATH_MAX <= len + strlen("/objects"))
++		die("Too long path: %.*s", 60, suspect);
+ 	strcpy(path, suspect);
+ 	if (getenv(DB_ENVIRONMENT)) {
+ 		if (access(getenv(DB_ENVIRONMENT), X_OK))

Attachment: pgpQniAtnrIqo.pgp
Description: PGP signature


Reply to: