From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Kiy76-00082y-8L for garchives@archives.gentoo.org; Thu, 25 Sep 2008 21:11:04 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CC321E032F; Thu, 25 Sep 2008 21:09:24 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 6F193E068F for ; Thu, 25 Sep 2008 21:09:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 4DF916413D for ; Thu, 25 Sep 2008 21:09:02 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -2.078 X-Spam-Level: X-Spam-Status: No, score=-2.078 required=5.5 tests=[AWL=0.521, BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvkYqn6VWtyk for ; Thu, 25 Sep 2008 21:08:55 +0000 (UTC) Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by smtp.gentoo.org (Postfix) with ESMTP id 4DD156414B for ; Thu, 25 Sep 2008 21:08:54 +0000 (UTC) Received: from smtp6-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp6-g19.free.fr (Postfix) with ESMTP id C7E9B197B4; Thu, 25 Sep 2008 23:08:53 +0200 (CEST) Received: from [192.168.1.25] (mur78-2-82-228-10-57.fbx.proxad.net [82.228.10.57]) by smtp6-g19.free.fr (Postfix) with ESMTP id 75441172BD; Thu, 25 Sep 2008 23:08:41 +0200 (CEST) Message-ID: <48DBFE15.6040000@gentoo.org> Date: Thu, 25 Sep 2008 23:09:41 +0200 From: Pierre-Yves Rofes User-Agent: Thunderbird 2.0.0.14 (X11/20080721) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 To: gentoo-announce@lists.gentoo.org CC: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com Subject: [gentoo-announce] [ GLSA 200809-16 ] Git: User-assisted execution of arbitrary code X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1C88913EF1F699694BC5F700" X-Archives-Salt: ac0e29b2-003e-4d8a-b648-35dcaa46a90a X-Archives-Hash: f46895971306526d3723f612ac40b61a This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1C88913EF1F699694BC5F700 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200809-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/= - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Git: User-assisted execution of arbitrary code Date: September 25, 2008 Bugs: #234075 ID: 200809-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis =3D=3D=3D=3D=3D=3D=3D=3D Multiple buffer overflow vulnerabilities have been discovered in Git. Background =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Git is a distributed version control system. Affected packages =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -------------------------------------------------------------------= Package / Vulnerable / Unaffected -------------------------------------------------------------------= 1 dev-util/git < 1.5.6.4 >=3D 1.5.6.= 4 Description =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Multiple boundary errors in the functions diff_addremove() and diff_change() when processing overly long repository path names were reported. Impact =3D=3D=3D=3D=3D=3D A remote attacker could entice a user to run commands like "git-diff" or "git-grep" on a specially crafted repository, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. Workaround =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D There is no known workaround at this time. Resolution =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D All Git users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=3Ddev-util/git-1.5.6.4" References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 1 ] CVE-2008-3546 http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-3546 Availability =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200809-16.xml Concerns? =3D=3D=3D=3D=3D=3D=3D=3D=3D Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License =3D=3D=3D=3D=3D=3D=3D Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --------------enig1C88913EF1F699694BC5F700 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjb/hUACgkQuhJ+ozIKI5j4jACdGoycfvIXPRW8TIe1Q6dW7Jxn zOgAoJ826UiTYnKEk4xIswQm1kqk+8ZX =5o8F -----END PGP SIGNATURE----- --------------enig1C88913EF1F699694BC5F700--