Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 16 Mar 2016 02:31:27 +0100
From: Laël Cellier <lael.cellier@...oste.net>
To: oss-security@...ts.openwall.com
Subject: Re: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315)

Concerning the reply to ᴄᴠᴇ details. (as you can check without the 
quotes, the pgp signature is correct and belong to mitre) (it was 
originally posted on the git‑security mailing list).
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>>>> int nlen = strlen(name); // the size is converted to a positive number
>>>> (the correct size was allocated previously with an unsigned long). I
>>>> got 705804100
>>> (i.e., inconsistent use of signed versus unsigned).
>>>
>>> Use CVE-2016-2315.
>> Yes, I think this is really the root of the issue ... It's
>> not just signed versus unsigned, though, but also truncation on 64-bit
>> systems (size_t down to int).
>
> OK, so more generally CVE-2016-2315 is the issue that "int" is the
> wrong data type for that nlen assignment.
>
>
>> Related ... is
>> integer overflow due to a loop which adds more to "len".
>>
>> I think that should potentially have a separate CVE (as it was_not_
>> fixed by 34fa79a6, and in fact there is not a published fix yet).
>
> Use CVE-2016-2324 for this integer overflow.
>
> - -- CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available throughhttp://cve.mitre.org/cve/request_id.html  ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJWvN/aAAoJEL54rhJi8gl5uAYP/izpW1/dYi3/UB0FFp3J6iz0
> pOpLy0TgZbfGCvrLAg2xlOxkY8ENEsX1JLKkIwAh0ViaLmKD+4xucgT5DIlpk2fl
> 0eAH8Hxcl2Nn8vOYx5orA6vTJ+S5pVGGSONk448cUDut9F4NBF0ngZ1GnAzQGI1d
> kbvA7aEz9jqUZGcnihoz84DeHwxZAw037MG1Yd/QW0eyHEC9w2fHEVF6GyHxfcMG
> eDowkjefIkmwYlMTbzv9l8v7rc6T7fFSrWe9xYc61rSEkYM5U1Eq2xHEIku6kYQT
> ns+0R+pZgwXakbUe9cJEjHQprGFw0iYtRdBZIDjSeiWZwWBjR9GUkFz/HXo2MdKV
> esN1lpF1x9MqFWjkHlxyCJOEAR1yzClYWU7RodyFeBIfdpc+7BM/I4Mr2b77O+Oi
> hUMBsfbZSPBz0+dBLlijFOBCkf+dvULc6DXM/yBJyYebY8EyUmtvw89u4dXefsZJ
> bvkYw6ltNgXYEovlg+Zp5HDtY5wBeJl/00XRK/Yqtl96Rgmc59jOvnO6j2487cEH
> x4KzwEP7PNDad954iMNQAIv2DLr+6/dGh1LEIoJeWV6kgHR2fM6roY1Ky6Dhc3HS
> BDD/i2d53+Ydej4+xAs7ABe0SRnONPZLvGXfTg1Xf3A1DQ3ctBEU8WTgoDeoNGF1
> 0VRlf18y1csVeTrRhfyX
> =mJKj
> -----END PGP SIGNATURE-----
>
But more generally, individual patches are here 
http://thread.gmane.org/gmane.comp.version-control.git/286253
And the affected versions are 2.7.0 and below. 2.7.1 is the first 
version which is safe to use. sid, you can relax the 2.7.3 in gitlab
This is the matter of pushing one or several crafted tree objects if the 
target is a server, or making a client cloning a crafted repository 
containing such objects.

Users of gerrit are also affected due to gerrit‑gc (so even probably 
google’s servers). But as the frontend is Jgit, the installed git 
version number is hidden (so the only way is to exploit remote code 
execution). (and this was because wikmedia used gerrit they were 
threat). Because gerrit‑gc rely on git, not on Jgit.

And for fun, a switch to java git might not be a good bet. Because I 
also probably found a server side memory leak in Jgit which can be 
triggered with a simple clone access (which I would be able to confirm 
once that vendor get that 
http://www.materiel.net/carte-reseau/intel-dual-band-wireless-ac-7260-desktop-7260hmwdtx1-r-114087.html 
again (so they can ship it to me, so I can replace the one that died)).

Concerning github, I already told they fixed github enterprise in 
December, and of course they did for the main site at the same time : 
https://bounty.github.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.