[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315)

To: fulldisclosure@xxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, dailydave@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315)
From: Laël Cellier <lael.cellier@xxxxxxxxxxx>
Date: Fri, 18 Mar 2016 09:59:21 +0100

Oh………………………… Big mistake. I might advertised too soon.

I saw changes were pushed in master, so I thought the next version(which was 2.7.1) would be the one which will include the fix.But as pointed out onhttps://security-tracker.debian.org/tracker/CVE-2016-2324 no versionsincluding the fixes were released yet, and even 2.7.3 still includepath_name(). I didn’t checked the code (Sorrrry).

So the only way to fix it is to draw your compilers and compile thecurrent master branch at https://git.kernel.org/cgit/git/git.git/.Or do like github did by using the patches athttp://thread.gmane.org/gmane.comp.version-control.git/286253 andhttp://thread.gmane.org/gmane.comp.version-control.git/286008

Prev by Date: Xoops 2.5.7.2 Directory Traversal Bypass
Next by Date: Remote Code Execution via CSRF in iTop
Previous by thread: Xoops 2.5.7.2 Directory Traversal Bypass
Next by thread: Remote Code Execution via CSRF in iTop
Index(es):
- Date
- Thread