Git remote execution vulnerability on all distributed versions up to 2.7.1
http://seclists.org/oss-sec/2016/q1/660
Re: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished CVE-2016-2324 and CVE\xe2\x80\x912016\xe2\x80\x912315)
From: La胠 Cellier <lael.cellier () laposte net>
Date: Wed, 16 Mar 2016 11:47:31 +0100
Oh.............................. Big mistake. I might advertised too soon.
I saw changes were pushed in master, so I thought the next version (which was 2.7.1) would be the one which will include the fix.
But as pointed out on https://security-tracker.debian.org/tracker/CVE-2016-2324 no versions including the fixes were released yet, and even 2.7.3 still include path_name(). I didn't checked the code (Sorrrry).
So the only way to fix it is to draw your compilers and compile the current master branch at https://git.kernel.org/cgit/git/git.git/.
Or do like github did by using the patches at http://thread.gmane.org/gmane.comp.version-control.git/286253 and http://thread.gmane.org/gmane.comp.version-control.git/286008
I'm really sorry...Current upstream version in Devuan: 2.1.4 VULNERABLE
Fork and apply the patches? That's a big jump from 2.1.4 to 2.7.3. Ceres, though, has 2.7.0, so it should be OK.
-
lets give debians security a day to patch it...
-
For the record, it took Debian 3 days Bug#818318: fixed in git 1:2.1.4-2.1+deb8u2 .
-
Status changed to closed