DSA-2114-1 git-core -- buffer overflow

Debian Security Advisory

DSA-2114-1 git-core -- buffer overflow

Date Reported:

26 Sep 2010

Affected Packages:

git-core

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 595728, Bug 590026.
In Mitre's CVE dictionary: CVE-2010-2542.

More information:

The Debian stable point release 5.0.6 included updated packages of the Git revision control system in order to fix a security issue. Unfortunately, the update introduced a regression which could make it impossible to clone or create Git repositories. This upgrade fixes this regression, which is tracked as Debian bug #595728.

The original security issue allowed an attacker to execute arbitrary code if he could trick a local user to execute a git command in a crafted working directory (CVE-2010-2542).

For the stable distribution (lenny), this problem has been fixed in version 1.5.6.5-3+lenny3.2.

The packages for the hppa architecture are not included in this advisory. However, the hppa architecture is not known to be affected by the regression.

For the testing distribution (squeeze) and the unstable distribution (sid), the security issue has been fixed in version 1.7.1-1.1. These distributions were not affected by the regression.

We recommend that you upgrade your git-core packages.

Fixed in:

Debian GNU/Linux 5.0 (stable)

Source:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2.dsc

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5.orig.tar.gz

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2.diff.gz

Architecture-independent component:

http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.5.6.5-3+lenny3.2_all.deb

http://security.debian.org/pool/updates/main/g/git-core/git-gui_1.5.6.5-3+lenny3.2_all.deb

http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.5.6.5-3+lenny3.2_all.deb

http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.5.6.5-3+lenny3.2_all.deb

http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.5.6.5-3+lenny3.2_all.deb

http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.5.6.5-3+lenny3.2_all.deb

http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.5.6.5-3+lenny3.2_all.deb

http://security.debian.org/pool/updates/main/g/git-core/git-email_1.5.6.5-3+lenny3.2_all.deb

http://security.debian.org/pool/updates/main/g/git-core/gitk_1.5.6.5-3+lenny3.2_all.deb

Alpha:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_alpha.deb

AMD64:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_amd64.deb

ARM:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_arm.deb

ARM EABI:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_armel.deb

Intel IA-32:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_i386.deb

Intel IA-64:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_ia64.deb

Big-endian MIPS:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_mips.deb

Little-endian MIPS:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_mipsel.deb

PowerPC:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_powerpc.deb

IBM S/390:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_s390.deb

Sun Sparc:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_sparc.deb

MD5 checksums of the listed files are available in the original advisory.