full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [PLSA 2008-19] Git: Multip

[Full-disclosure] [PLSA 2008-19] Git: Multiple Buffer Overflows

From: Pınar Yanardağ <pinar_at_nospam>
Date: Thu Aug 07 2008 - 00:27:43 GMT
To: pardus-security@pardus.org.tr



Pardus Linux Security Advisory 2008-19 security@pardus.org.tr
Date: 2008-08-07 Severity: 2 Type: Remote
------------------------------------------------------------------------

Summary


Some vulnerabilities have been reported in GIT, which can potentially be exploited by malicious people to compromise a user's system.

Description


The vulnerabilities are caused due to boundary errors in various functions when processing overly long repository pathnames. These can be exploited to cause stack-based buffer overflows by tricking a user into running e.g. "git-diff" or "git-grep" against a repository containing pathnames that are larger than the "PATH_MAX" value on the user's system.

Successful exploitation may allow execution of arbitrary code.

Affected packages:

   Pardus 2008: git, all before 1.5.6.4-66-3 git-emacs, all before 1.5.6.4-66-3 gitweb, all before 1.5.6.4-66-3 Pardus 2007: git, all before 1.5.6.4-66-51 git-emacs, all before 1.5.6.4-66-25 gitweb, all before 1.5.6.4-66-27

Resolution


There are update(s) for git, git-emacs, gitweb. You can update them via Package Manager or with a single command from console:

   Pardus 2008:
     pisi up git git-emacs gitweb

   Pardus 2007:
     pisi up git git-emacs gitweb

References


-- Pınar Yanardağ http://pinguar.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/