Re: [SECURITY] [DSA 1637-1] New git-core packages fix buffer overflow

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1637-1] New git-core packages fix buffer overflow
From: Dmitry Potapov <dpotapov@gmail.com>
Date: Tue, 16 Sep 2008 02:28:19 +0400
Message-id: <[🔎] 20080915222819.GJ28210@dpotapov.dyndns.org>
In-reply-to: <E1Kf8fX-0007Z8-1E@klecker.debian.org>
References: <E1Kf8fX-0007Z8-1E@klecker.debian.org>

Hello Debian Security Team,

On Mon, Sep 15, 2008 at 07:38:47AM +0000, Devin Carraway wrote:
> 
> - ------------------------------------------------------------------------
> Debian Security Advisory DSA-1637-1                  security@debian.org
> http://www.debian.org/security/                           Devin Carraway
> September 15, 2008                    http://www.debian.org/security/faq
> - ------------------------------------------------------------------------
> 
> Package        : git-core
> Vulnerability  : buffer overflow
> Problem type   : local (remote)
> Debian-specific: no
> CVE Id(s)      : CVE-2008-3546
> Debian Bug     : 494097
> 
> Multiple vulnerabilities have been identified in git-core, the core of
> the git distributed revision control system.  Improper path length
> limitations in git's diff and grep functions, in combination with
> maliciously crafted repositories or changes, could enable a stack
> buffer overflow and potentially the execution of arbitrary code.
> 
> The Common Vulnerabilities and Exposures project identifies this
> vulnerabilitiy as CVE-2008-3546.
> 
> For the stable distribution (etch), this problem has been fixed in
> version 1.4.4.4-2.1+etch1.

I believe that a stack buffer overflow in git-grep is not fixed.
Here is the patch:
http://repo.or.cz/w/git.git?a=commitdiff;h=620e2bb93785ed8eb60846d94fd4753d4817c8ec
The Debian Bug report mentions it, but somehow it was not applied
to 1.4.4.4-2.1+etch1. I have downloaded sources and still can see
that the grep_tree function contains the following line:
   strcpy(path_buf + len, entry.path);
This line causes a stack buffer overflow if entry.path is longer
than PATH_MAX.

BTW, there is another related fix:
http://repo.or.cz/w/git.git?a=commitdiff;h=7fec10b7f41fa32e71aa6377bd04cd7c6fb419e0

The comment to it says "we are mostly protected by the fact that many
codepaths first copy the path in a variable of size PATH_MAX, which
typically is 4096." But mostly does not mean every situation, and IIRC,
Git did crash being given too long name (probably memory corruption).
Actually, another reason why I mention this patch, it includes a test
case, which demonstrates a simple way how to create Git repository with
names longer than PATH_MAX. I used that method to find aforementioned
bugs in diff and grep functions as well to test my patches.

Hopefully, this information will be useful.

Thanks,
Dmitry

Reply to:

Prev by Date: Auto-Re: [SECURITY] [DSA 1637-1] New git-core packages fix buffer overflow
Next by Date: Re: [SECURITY] [DSA 1638-1] New openssh packages fix denial of service
Previous by thread: Auto-Re: [SECURITY] [DSA 1637-1] New git-core packages fix buffer overflow
Next by thread: Re: [SECURITY] [DSA 1638-1] New openssh packages fix denial of service
Index(es):
- Date
- Thread