Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE
On Thu, Mar 17, 2016 at 12:37:27AM +, Ben Hutchings wrote: > On Wed, 2016-03-16 at 17:16 -0700, Jonathan Nieder wrote: >> Ben Hutchings wrote: >>> I intend to NMU git to fix these bugs in unstable, as they make most of >>> my development activity unsafe. >>> >>> git maintainers, please let me know if you're already preparing an >>> update. >> >> I'm already preparing an update. > > Thanks. For what it's worth, I'm attaching my minimal fix for > CVE-2016-2324. All existing tests pass, but I don't have a reproducer > for the security issue so I can't be certain it's fixed. More patches are needed. See https://git.kernel.org/cgit/git/git.git/log/?h=maint (I mention this mostly for the sake of people backporting to stable, testing, or oldstable.)
Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE
I intend to NMU git to fix these bugs in unstable, as they make most of my development activity unsafe. git maintainers, please let me know if you're already preparing an update. Ben. -- Ben Hutchings If you seem to know what you are doing, you'll be given more to do. signature.asc Description: This is a digitally signed message part
Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE
Ben Hutchings wrote: > I intend to NMU git to fix these bugs in unstable, as they make most of > my development activity unsafe. > > git maintainers, please let me know if you're already preparing an > update. I'm already preparing an update. Jonathan
Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE
On Wed, 2016-03-16 at 17:16 -0700, Jonathan Nieder wrote: > Ben Hutchings wrote: > > > > > I intend to NMU git to fix these bugs in unstable, as they make most of > > my development activity unsafe. > > > > git maintainers, please let me know if you're already preparing an > > update. > I'm already preparing an update. Thanks. For what it's worth, I'm attaching my minimal fix for CVE-2016-2324. All existing tests pass, but I don't have a reproducer for the security issue so I can't be certain it's fixed. Ben. -- Ben Hutchings Absolutum obsoletum. (If it works, it's out of date.) - Stafford BeerFrom: Ben HutchingsDate: Wed, 16 Mar 2016 23:53:59 + Subject: Fix integer overflow in path_name() function This addresses CVE-2016-2324, which was fixed upstream by commit 13528ab37cad ("list-objects: convert name_path to a strbuf"). Instead of making API changes, fix the type of name_path::elem_len to be size_t and use the st_add*() functions to check for voerflow in path_name(). show_path_component_truncated() currently returns a length derived from name_path::elem_len *or* -1, but its caller only cares about the sign of the result so squash the length to 0 or 1. Signed-off-by: Ben Hutchings --- revision.c | 12 ++-- revision.h | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/revision.c b/revision.c index df56fce..d4cb2e2 100644 --- a/revision.c +++ b/revision.c @@ -29,12 +29,12 @@ char *path_name(const struct name_path *path, const char *name) { const struct name_path *p; char *n, *m; - int nlen = strlen(name); - int len = nlen + 1; + size_t nlen = strlen(name); + size_t len = st_add(nlen, 1); for (p = path; p; p = p->up) { if (p->elem_len) - len += p->elem_len + 1; + len = st_add3(len, p->elem_len, 1); } n = xmalloc(len); m = n + len - (nlen + 1); @@ -49,16 +49,16 @@ char *path_name(const struct name_path *path, const char *name) return n; } -static int show_path_component_truncated(FILE *out, const char *name, int len) +static int show_path_component_truncated(FILE *out, const char *name, size_t len) { - int cnt; + size_t cnt; for (cnt = 0; cnt < len; cnt++) { int ch = name[cnt]; if (!ch || ch == '\n') return -1; fputc(ch, out); } - return len; + return !!len; } static int show_path_truncated(FILE *out, const struct name_path *path) diff --git a/revision.h b/revision.h index 23857c0..8e052c5 100644 --- a/revision.h +++ b/revision.h @@ -259,7 +259,7 @@ extern void mark_tree_uninteresting(struct tree *tree); struct name_path { struct name_path *up; - int elem_len; + size_t elem_len; const char *elem; }; signature.asc Description: This is a digitally signed message part
Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE, fixed in 2.7.1
Hi all, Want to try to summarize: CVE-2016-2315, fixed by https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305 (v2.7.0-rc0). Then there is CVE-2016-2324. AFAICT, this is fixed by the path_name removal, in https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d (v2.8.0-rc0). So this is *not* in any 2.7.x. According to the CVE assignment, CVE-2016-2324 is for 'Related ... is integer overflow due to a loop which adds more to "len"'. See: http://www.openwall.com/lists/oss-security/2016/03/16/2 There is further one mentioned in the initial post, which is related to a smilar issue in the diff code, which should be https://github.com/git/git/commit/5b442c4f2723211ce0d862571e88ee206bfd51bf (v2.7.3) and has not a CVE so far. Laszlo mentioned then as well https://github.com/git/git/commit/13e0b0d3dc76353632dcb0bc63cdf03426154317 (v2.7.3), this is a separate issue, but not related to the two assigned CVEs AFAICS, but will be fixed as well if updating to 2.7.3 based upload. The original reporter mentions to be safe with 2.7.1, but in the light of the second commit this does not look fully correct? Do you concur on this summary? Regards, Salvatore signature.asc Description: Digital signature
Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE
Control: retitle -1 git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE Hi, On Wed, Mar 16, 2016 at 12:22:59PM +0100, Salvatore Bonaccorso wrote: > Then there is CVE-2016-2324. AFAICT, this is fixed by the path_name > removal, in > https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d > (v2.8.0-rc0). So this is *not* in any 2.7.x. According to the CVE > assignment, CVE-2016-2324 is for 'Related ... is integer overflow due > to a loop which adds more to "len"'. See: > > http://www.openwall.com/lists/oss-security/2016/03/16/2 For reference as well the confirmation in http://www.openwall.com/lists/oss-security/2016/03/16/9 Regards, Salvatore
Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE, fixed in 2.7.1
On Tue, Mar 15, 2016 at 10:13 PM, Ximin Luowrote: > http://seclists.org/oss-sec/2016/q1/645 > > Please upload 2.7.1 ASAP. Just for the record, it should be 2.7.3 due to an integer overflow fix[1] (no CVE). On the other hand, CVE-2016-2315 is already fixed in Stretch and Sid[2] with the 2.7.0 version. Laszlo/GCS [1] https://github.com/git/git/commit/13e0b0d3dc76353632dcb0bc63cdf03426154317 [2] https://security-tracker.debian.org/tracker/CVE-2016-2315
Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE, fixed in 2.7.1
Package: git Version: 1:2.7.0-1 Severity: grave Tags: upstream security Justification: user security hole Dear Maintainer, This was just posted: http://seclists.org/oss-sec/2016/q1/645 Please upload 2.7.1 ASAP. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable'), (300, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages git depends on: ii git-man 1:2.7.0-1 ii libc6 2.21-9 ii libcurl3-gnutls 7.47.0-1 ii liberror-perl 0.17-1.2 ii libexpat1 2.1.0-7 ii libpcre3 2:8.38-3 ii perl-modules-5.22 [perl-modules] 5.22.1-8 ii zlib1g1:1.2.8.dfsg-2+b1 Versions of packages git recommends: ii less 481-2.1 ii openssh-client [ssh-client] 1:7.1p2-2 ii patch2.7.5-1 ii rsync3.1.1-3 Versions of packages git suggests: ii gettext-base 0.19.7-2 ii git-arch 1:2.7.0-1 ii git-cvs 1:2.7.0-1 ii git-daemon-sysvinit 1:2.7.0-1 ii git-doc 1:2.7.0-1 ii git-el 1:2.7.0-1 ii git-email1:2.7.0-1 ii git-gui 1:2.7.0-1 ii git-mediawiki1:2.7.0-1 ii git-svn 1:2.7.0-1 ii gitk 1:2.7.0-1 ii gitweb 1:2.7.0-1 -- no debconf information