Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE

2016-03-20 Thread Jonathan Nieder 
On Thu, Mar 17, 2016 at 12:37:27AM +, Ben Hutchings wrote:
> On Wed, 2016-03-16 at 17:16 -0700, Jonathan Nieder wrote:
>> Ben Hutchings wrote:

>>> I intend to NMU git to fix these bugs in unstable, as they make most of
>>> my development activity unsafe.
>>>
>>> git maintainers, please let me know if you're already preparing an
>>> update.
>>
>> I'm already preparing an update.
>
> Thanks.  For what it's worth, I'm attaching my minimal fix for
> CVE-2016-2324.  All existing tests pass, but I don't have a reproducer
> for the security issue so I can't be certain it's fixed.

More patches are needed.  See 
https://git.kernel.org/cgit/git/git.git/log/?h=maint
(I mention this mostly for the sake of people backporting to stable,
testing, or oldstable.)

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE

2016-03-19 Thread Ben Hutchings 
I intend to NMU git to fix these bugs in unstable, as they make most of
my development activity unsafe.

git maintainers, please let me know if you're already preparing an
update.

Ben.

-- 
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.


signature.asc
Description: This is a digitally signed message part

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE

2016-03-19 Thread Jonathan Nieder 
Ben Hutchings wrote:

> I intend to NMU git to fix these bugs in unstable, as they make most of
> my development activity unsafe.
>
> git maintainers, please let me know if you're already preparing an
> update.

I'm already preparing an update.

Jonathan

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE

2016-03-19 Thread Ben Hutchings 
On Wed, 2016-03-16 at 17:16 -0700, Jonathan Nieder wrote:
> Ben Hutchings wrote:
> 
> > 
> > I intend to NMU git to fix these bugs in unstable, as they make most of
> > my development activity unsafe.
> > 
> > git maintainers, please let me know if you're already preparing an
> > update.
> I'm already preparing an update.

Thanks.  For what it's worth, I'm attaching my minimal fix for
CVE-2016-2324.  All existing tests pass, but I don't have a reproducer
for the security issue so I can't be certain it's fixed.

Ben.

-- 
Ben Hutchings
Absolutum obsoletum. (If it works, it's out of date.) - Stafford BeerFrom: Ben Hutchings 
Date: Wed, 16 Mar 2016 23:53:59 +
Subject: Fix integer overflow in path_name() function

This addresses CVE-2016-2324, which was fixed upstream by commit
13528ab37cad ("list-objects: convert name_path to a strbuf").

Instead of making API changes, fix the type of name_path::elem_len to
be size_t and use the st_add*() functions to check for voerflow in
path_name().

show_path_component_truncated() currently returns a length derived
from name_path::elem_len *or* -1, but its caller only cares about
the sign of the result so squash the length to 0 or 1.

Signed-off-by: Ben Hutchings 
---
 revision.c | 12 ++--
 revision.h |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/revision.c b/revision.c
index df56fce..d4cb2e2 100644
--- a/revision.c
+++ b/revision.c
@@ -29,12 +29,12 @@ char *path_name(const struct name_path *path, const char *name)
 {
 	const struct name_path *p;
 	char *n, *m;
-	int nlen = strlen(name);
-	int len = nlen + 1;
+	size_t nlen = strlen(name);
+	size_t len = st_add(nlen, 1);
 
 	for (p = path; p; p = p->up) {
 		if (p->elem_len)
-			len += p->elem_len + 1;
+			len = st_add3(len, p->elem_len, 1);
 	}
 	n = xmalloc(len);
 	m = n + len - (nlen + 1);
@@ -49,16 +49,16 @@ char *path_name(const struct name_path *path, const char *name)
 	return n;
 }
 
-static int show_path_component_truncated(FILE *out, const char *name, int len)
+static int show_path_component_truncated(FILE *out, const char *name, size_t len)
 {
-	int cnt;
+	size_t cnt;
 	for (cnt = 0; cnt < len; cnt++) {
 		int ch = name[cnt];
 		if (!ch || ch == '\n')
 			return -1;
 		fputc(ch, out);
 	}
-	return len;
+	return !!len;
 }
 
 static int show_path_truncated(FILE *out, const struct name_path *path)
diff --git a/revision.h b/revision.h
index 23857c0..8e052c5 100644
--- a/revision.h
+++ b/revision.h
@@ -259,7 +259,7 @@ extern void mark_tree_uninteresting(struct tree *tree);
 
 struct name_path {
 	struct name_path *up;
-	int elem_len;
+	size_t elem_len;
 	const char *elem;
 };
 


signature.asc
Description: This is a digitally signed message part

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE, fixed in 2.7.1

2016-03-19 Thread Salvatore Bonaccorso 
Hi all,

Want to try to summarize:

CVE-2016-2315, fixed by
https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305
(v2.7.0-rc0).

Then there is CVE-2016-2324. AFAICT, this is fixed by the path_name
removal, in
https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d
(v2.8.0-rc0). So this is *not* in any 2.7.x. According to the CVE
assignment, CVE-2016-2324 is for 'Related ... is integer overflow due
to a loop which adds more to "len"'. See:

http://www.openwall.com/lists/oss-security/2016/03/16/2

There is further one mentioned in the initial post, which is related
to a smilar issue in the diff code, which should be
https://github.com/git/git/commit/5b442c4f2723211ce0d862571e88ee206bfd51bf
(v2.7.3) and has not a CVE so far.

Laszlo mentioned then as well
https://github.com/git/git/commit/13e0b0d3dc76353632dcb0bc63cdf03426154317
(v2.7.3), this is a separate issue, but not related to the two assigned
CVEs AFAICS, but will be fixed as well if updating to 2.7.3 based
upload.

The original reporter mentions to be safe with 2.7.1, but in the light
of the second commit this does not look fully correct?

Do you concur on this summary?

Regards,
Salvatore


signature.asc
Description: Digital signature

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE

2016-03-18 Thread Salvatore Bonaccorso 
Control: retitle -1 git: CVE-2016-2324 and CVE-2016-2315 (currently 
unpublished) server and client RCE

Hi,

On Wed, Mar 16, 2016 at 12:22:59PM +0100, Salvatore Bonaccorso wrote:
> Then there is CVE-2016-2324. AFAICT, this is fixed by the path_name
> removal, in
> https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d
> (v2.8.0-rc0). So this is *not* in any 2.7.x. According to the CVE
> assignment, CVE-2016-2324 is for 'Related ... is integer overflow due
> to a loop which adds more to "len"'. See:
> 
> http://www.openwall.com/lists/oss-security/2016/03/16/2

For reference as well the confirmation in
http://www.openwall.com/lists/oss-security/2016/03/16/9

Regards,
Salvatore

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE, fixed in 2.7.1

2016-03-15 Thread GCS 
On Tue, Mar 15, 2016 at 10:13 PM, Ximin Luo  wrote:
> http://seclists.org/oss-sec/2016/q1/645
>
> Please upload 2.7.1 ASAP.
 Just for the record, it should be 2.7.3 due to an integer overflow
fix[1] (no CVE). On the other hand, CVE-2016-2315 is already fixed in
Stretch and Sid[2] with the 2.7.0 version.

Laszlo/GCS
[1] https://github.com/git/git/commit/13e0b0d3dc76353632dcb0bc63cdf03426154317
[2] https://security-tracker.debian.org/tracker/CVE-2016-2315

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE, fixed in 2.7.1

2016-03-15 Thread Ximin Luo 
Package: git
Version: 1:2.7.0-1
Severity: grave
Tags: upstream security
Justification: user security hole

Dear Maintainer,

This was just posted:

http://seclists.org/oss-sec/2016/q1/645

Please upload 2.7.1 ASAP.


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (300, 'unstable'), (200, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages git depends on:
ii  git-man   1:2.7.0-1
ii  libc6 2.21-9
ii  libcurl3-gnutls   7.47.0-1
ii  liberror-perl 0.17-1.2
ii  libexpat1 2.1.0-7
ii  libpcre3  2:8.38-3
ii  perl-modules-5.22 [perl-modules]  5.22.1-8
ii  zlib1g1:1.2.8.dfsg-2+b1

Versions of packages git recommends:
ii  less 481-2.1
ii  openssh-client [ssh-client]  1:7.1p2-2
ii  patch2.7.5-1
ii  rsync3.1.1-3

Versions of packages git suggests:
ii  gettext-base 0.19.7-2
ii  git-arch 1:2.7.0-1
ii  git-cvs  1:2.7.0-1
ii  git-daemon-sysvinit  1:2.7.0-1
ii  git-doc  1:2.7.0-1
ii  git-el   1:2.7.0-1
ii  git-email1:2.7.0-1
ii  git-gui  1:2.7.0-1
ii  git-mediawiki1:2.7.0-1
ii  git-svn  1:2.7.0-1
ii  gitk 1:2.7.0-1
ii  gitweb   1:2.7.0-1

-- no debconf information