Bug#590026: marked as done (git-core: upstream fix for exploitable buffer overrun (CVE-2010-2542))

Debian Bug Tracking System Thu, 29 Jul 2010 13:06:29 -0700

Your message dated Thu, 29 Jul 2010 20:03:32 +0000
with message-id <[email protected]>
and subject line Bug#590026: fixed in git-core 1:1.5.6.5-3+lenny3.1
has caused the Debian Bug report #590026,
regarding git-core: upstream fix for exploitable buffer overrun (CVE-2010-2542)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
590026: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590026
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: git-core
Version: 1:1.7.1-1~bpo50+1
Severity: grave
Tags: security patch
Justification: user security hole


A fix for an exploitable buffer overrun (CVE-2010-2542, per [1]) was
committed to git in [2].  In particular, if an attacker were to create
a crafted working copy where the user runs any git command, the
attacker could force execution of arbitrary code.

This attack should be mitigated to a denial of service if git is
compiled with appropriate stack-protecting flags.

This buffer overrun was introduced in [3], which first appeared in
v1.5.6, and is fixed in v1.7.2.

Greg

[1] http://seclists.org/oss-sec/2010/q3/93
[2] 
http://git.kernel.org/?p=git/git.git;a=commit;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc
[3] 
http://git.kernel.org/?p=git/git.git;a=commit;h=b44ebb19e3234c5dffe9869ceac5408bb44c2e20

-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages git-core depends on:
ii  git                    1:1.7.1-1~bpo50+1 fast, scalable, distributed revisi

git-core recommends no packages.

git-core suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: git-core
Source-Version: 1:1.5.6.5-3+lenny3.1

We believe that the bug you reported is fixed in the latest version of
git-core, which is due to be installed in the Debian FTP archive:

git-arch_1.5.6.5-3+lenny3.1_all.deb
  to main/g/git-core/git-arch_1.5.6.5-3+lenny3.1_all.deb
git-core_1.5.6.5-3+lenny3.1.diff.gz
  to main/g/git-core/git-core_1.5.6.5-3+lenny3.1.diff.gz
git-core_1.5.6.5-3+lenny3.1.dsc
  to main/g/git-core/git-core_1.5.6.5-3+lenny3.1.dsc
git-core_1.5.6.5-3+lenny3.1_i386.deb
  to main/g/git-core/git-core_1.5.6.5-3+lenny3.1_i386.deb
git-cvs_1.5.6.5-3+lenny3.1_all.deb
  to main/g/git-core/git-cvs_1.5.6.5-3+lenny3.1_all.deb
git-daemon-run_1.5.6.5-3+lenny3.1_all.deb
  to main/g/git-core/git-daemon-run_1.5.6.5-3+lenny3.1_all.deb
git-doc_1.5.6.5-3+lenny3.1_all.deb
  to main/g/git-core/git-doc_1.5.6.5-3+lenny3.1_all.deb
git-email_1.5.6.5-3+lenny3.1_all.deb
  to main/g/git-core/git-email_1.5.6.5-3+lenny3.1_all.deb
git-gui_1.5.6.5-3+lenny3.1_all.deb
  to main/g/git-core/git-gui_1.5.6.5-3+lenny3.1_all.deb
git-svn_1.5.6.5-3+lenny3.1_all.deb
  to main/g/git-core/git-svn_1.5.6.5-3+lenny3.1_all.deb
gitk_1.5.6.5-3+lenny3.1_all.deb
  to main/g/git-core/gitk_1.5.6.5-3+lenny3.1_all.deb
gitweb_1.5.6.5-3+lenny3.1_all.deb
  to main/g/git-core/gitweb_1.5.6.5-3+lenny3.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[email protected]> (supplier of updated git-core package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 27 Jul 2010 15:44:10 +0000
Source: git-core
Binary: git-core git-doc git-arch git-cvs git-svn git-email git-daemon-run 
git-gui gitk gitweb
Architecture: source i386 all
Version: 1:1.5.6.5-3+lenny3.1
Distribution: stable
Urgency: high
Maintainer: Gerrit Pape <[email protected]>
Changed-By: Nico Golde <[email protected]>
Description: 
 git-arch   - fast, scalable, distributed revision control system (arch interop
 git-core   - fast, scalable, distributed revision control system
 git-cvs    - fast, scalable, distributed revision control system (cvs interope
 git-daemon-run - fast, scalable, distributed revision control system 
(git-daemon s
 git-doc    - fast, scalable, distributed revision control system (documentatio
 git-email  - fast, scalable, distributed revision control system (email add-on
 git-gui    - fast, scalable, distributed revision control system (GUI)
 git-svn    - fast, scalable, distributed revision control system (svn interope
 gitk       - fast, scalable, distributed revision control system (revision tre
 gitweb     - fast, scalable, distributed revision control system (web interfac
Closes: 590026
Changes: 
 git-core (1:1.5.6.5-3+lenny3.1) stable; urgency=high
 .
   * Non-maintainer upload.
   * debian/diff/0009-CVE-2010-2542.diff:
     new; fix stack-based buffer overflow in handling gitdir
     paths (Closes: #590026).
Checksums-Sha1: 
 b67e4970f0dfa3e9c0666ee59e6b72598ab5b39b 1340 git-core_1.5.6.5-3+lenny3.1.dsc
 50f9d5ed83476dd652a4d73f3383cee21a0bc0f6 228896 
git-core_1.5.6.5-3+lenny3.1.diff.gz
 9077d693161af0e5117a34bf1d089d9be6acbd30 3131080 
git-core_1.5.6.5-3+lenny3.1_i386.deb
 3ade1090c33058645ded4898af98ace650f533a1 1083430 
git-doc_1.5.6.5-3+lenny3.1_all.deb
 c510374024d1ea50e2ea64e693afe0db85f91984 231104 
git-arch_1.5.6.5-3+lenny3.1_all.deb
 382ef9b0964431376768c0c1c9f8ede608bdc360 267322 
git-cvs_1.5.6.5-3+lenny3.1_all.deb
 8bb1b95fdf098da3ba42514324920591a0ffc0e4 268366 
git-svn_1.5.6.5-3+lenny3.1_all.deb
 d6662db2a1bd0ebc7a6dfc83fdc3060024422893 217882 
git-daemon-run_1.5.6.5-3+lenny3.1_all.deb
 fc0d851f2238841efff42e997ffd656ab5595186 229386 
git-email_1.5.6.5-3+lenny3.1_all.deb
 bdc24c563bc4fbb85a8ba7d177ed5d79a962296d 401928 
git-gui_1.5.6.5-3+lenny3.1_all.deb
 25f43738aee7529ecde6dd8a8fb59f9d01e1646b 298706 gitk_1.5.6.5-3+lenny3.1_all.deb
 264fe263d3b3a79cb002e488a429d3135e270ac3 268122 
gitweb_1.5.6.5-3+lenny3.1_all.deb
Checksums-Sha256: 
 b6bc5822d20c670edb598f5a8e622396d88833a940b4613ace9009165fb10e0d 1340 
git-core_1.5.6.5-3+lenny3.1.dsc
 d699b4f3b6dc86a011637f2b06e741a3f56f88ee3b4adfa54f56add75674c291 228896 
git-core_1.5.6.5-3+lenny3.1.diff.gz
 a95e4992fcd9e75e21e8cf0f65e13620b7808a2095d8864a84272d989e32398c 3131080 
git-core_1.5.6.5-3+lenny3.1_i386.deb
 e6f50eaf91d4a2d68e125a5f02bd70f6909a865d042e8995e02e73a288c55389 1083430 
git-doc_1.5.6.5-3+lenny3.1_all.deb
 8ca8c06ab21f7019e9496794f1aa483ae496ce5e15503efd8ef3f6e023eeacf3 231104 
git-arch_1.5.6.5-3+lenny3.1_all.deb
 e4da663ad1c9eb07063cd930ff1d06723996fe5cd57b50b98317fccb01a0297e 267322 
git-cvs_1.5.6.5-3+lenny3.1_all.deb
 ccbdef922e486799a33b9a487bbdf60295e584503fca04d520a7bdb7fc819265 268366 
git-svn_1.5.6.5-3+lenny3.1_all.deb
 1352476f95b33397ae812f80983e18185a8390752ab48121ebd3c314c6a351de 217882 
git-daemon-run_1.5.6.5-3+lenny3.1_all.deb
 06c220afb1acd8e36fb8ef20a8e83828885f7e84019122eec111a4dfbfdb6008 229386 
git-email_1.5.6.5-3+lenny3.1_all.deb
 6a680c3be1b0cc8767fb4a18e0aa4cfc377e278cece0c1eafac9ac9aeea70630 401928 
git-gui_1.5.6.5-3+lenny3.1_all.deb
 24fade703f1195ce9bebfe1279741e1c7575752aaf5d7a3c7559e6555d4d5d22 298706 
gitk_1.5.6.5-3+lenny3.1_all.deb
 046ff99832cc7f4444562a77f21773ba8655a77e4121b2c89624ffa56b6ea474 268122 
gitweb_1.5.6.5-3+lenny3.1_all.deb
Files: 
 ce7de7f6c35f7d38509831005a026db4 1340 devel optional 
git-core_1.5.6.5-3+lenny3.1.dsc
 a561acec503efcee0e1c7971eb3a01f0 228896 devel optional 
git-core_1.5.6.5-3+lenny3.1.diff.gz
 d4dec74c3480320c53f6418cda19ad62 3131080 devel optional 
git-core_1.5.6.5-3+lenny3.1_i386.deb
 0df6a3cfe627ca701d527e30ab8d688e 1083430 doc optional 
git-doc_1.5.6.5-3+lenny3.1_all.deb
 2e21b948ad25c69a884d332478c766bf 231104 devel optional 
git-arch_1.5.6.5-3+lenny3.1_all.deb
 5a44abbea7154bf4129f9edda6413e26 267322 devel optional 
git-cvs_1.5.6.5-3+lenny3.1_all.deb
 054fad6789be6a8156c5cb7ff8abafb1 268366 devel optional 
git-svn_1.5.6.5-3+lenny3.1_all.deb
 1b62124f09678a5a8315a0966a968434 217882 devel optional 
git-daemon-run_1.5.6.5-3+lenny3.1_all.deb
 eb75de07055933d2ece099a02a9449da 229386 devel optional 
git-email_1.5.6.5-3+lenny3.1_all.deb
 c1d660904c3741145c83fc8014e76b3c 401928 devel optional 
git-gui_1.5.6.5-3+lenny3.1_all.deb
 6703df547bdc36174696dc4955a6bb34 298706 devel optional 
gitk_1.5.6.5-3+lenny3.1_all.deb
 71232f06e744bf0fcbf1525e4c014752 268122 devel optional 
gitweb_1.5.6.5-3+lenny3.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxRjgoACgkQHYflSXNkfP/svACfbBHTDOnrM1badQyYx38Cu3gm
Gi8An01m9/uXka4qJ1yYLAmiw3I1Ryx+
=WKn7
-----END PGP SIGNATURE-----

--- End Message ---

Bug#590026: marked as done (git-core: upstream fix for exploitable buffer overrun (CVE-2010-2542))

Reply via email to