Debian Bug report logs - #532935
CVE-2009-2108: git-daemon Infinite Loop Denial of Service

version graph

Package: git-core; Maintainer for git-core is Gerrit Pape <pape@smarden.org>; Source for git-core is src:git.

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Fri, 12 Jun 2009 23:27:01 UTC

Severity: grave

Tags: patch, security

Found in versions git-core/1:1.6.3.1-1, git-core/1:1.4.4.4-4

Fixed in version git-core/1:1.6.3.3-1

Done: Gerrit Pape <pape@smarden.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Gerrit Pape <pape@smarden.org>:
Bug#532935; Package git-core. (Fri, 12 Jun 2009 23:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Gerrit Pape <pape@smarden.org>. (Fri, 12 Jun 2009 23:27:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [SA35437] git-daemon Parameter Parsing Infinite Loop Denial of Service
Date: Sat, 13 Jun 2009 01:24:29 +0200
Package: git-core
Version: 1:1.6.3.1-1
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The following SA (Secunia Advisory) id was published for git:

SA35437[1]:

Description:
A vulnerability has been reported in Git, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an infinite loop when parsing certain additional request parameters. This can be exploited to cause a high CPU load by sending specially crafted requests to an affected git-daemon.

The vulnerability is reported in versions 1.4.4.5 through 1.6.3.2. Other versions may also be affected.



Solution:
Fixed in the Git repository.[2]

Provided and/or discovered by:
Shawn O. Pearce

If you fix the vulnerability please also make sure to include the CVE id
(if will be available) in the changelog entry.


For further information see:

[1] http://secunia.com/advisories/35437/
[2] http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9

    https://www.redhat.com/archives/fedora-security-list/2009-June/msg00000.html

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoy46kACgkQNxpp46476ao5WACfVbG5mv0Ql4FGFwUvekX07nhH
uEgAn2tYZoHfAwSh2TKRjkZefSKwNF4m
=qMjv
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#532935; Package git-core. (Sat, 13 Jun 2009 15:27:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guus Sliepen <guus@debian.org>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Sat, 13 Jun 2009 15:27:02 GMT) Full text and rfc822 format available.

Message #10 received at 532935@bugs.debian.org (full text, mbox):

From: Guus Sliepen <guus@debian.org>
To: 532935@bugs.debian.org
Subject: 1.4.4.4 in etch (oldstable) is also vulnerable
Date: Sat, 13 Jun 2009 17:25:43 +0200
[Message part 1 (text/plain, inline)]
Hello,

Due to the fact that code from 1.4.4.5 has been backported into 1.4.4.4-4,
git-daemon in etch is also vulnerable to this bug.

-- 
Met vriendelijke groet / with kind regards,
      Guus Sliepen <guus@debian.org>
[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 1:1.4.4.4-4. Request was from Guus Sliepen <guus@debian.org> to control@bugs.debian.org. (Sat, 13 Jun 2009 15:58:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#532935; Package git-core. (Sun, 21 Jun 2009 12:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Sun, 21 Jun 2009 12:42:04 GMT) Full text and rfc822 format available.

Message #17 received at 532935@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 532935@bugs.debian.org
Cc: control@bugs.debian.org
Subject: CVEfied
Date: Sun, 21 Jun 2009 14:39:55 +0200
[Message part 1 (text/plain, inline)]
retitle 532935 CVE-2009-2108: git-daemon Infinite Loop Denial of Service
thanks


Hi,

this issue got a CVE id:

CVE-2009-2108[0]:
| git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to
| cause a denial of service (infinite loop and CPU consumption) via a
| request containing extra unrecognized arguments.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2108
    http://security-tracker.debian.net/tracker/CVE-2009-2108

[signature.asc (application/pgp-signature, attachment)]

Changed Bug title to `CVE-2009-2108: git-daemon Infinite Loop Denial of Service' from `[SA35437] git-daemon Parameter Parsing Infinite Loop Denial of Service'. Request was from Giuseppe Iuculano <giuseppe@iuculano.it> to control@bugs.debian.org. (Sun, 21 Jun 2009 12:42:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#532935; Package git-core. (Thu, 25 Jun 2009 08:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to 532935@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Thu, 25 Jun 2009 08:57:03 GMT) Full text and rfc822 format available.

Message #24 received at 532935@bugs.debian.org (full text, mbox):

From: Gerrit Pape <pape@smarden.org>
To: Giuseppe Iuculano <giuseppe@iuculano.it>, 532935@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#532935: [SA35437] git-daemon Parameter Parsing Infinite Loop Denial of Service
Date: Thu, 25 Jun 2009 08:53:20 +0000
On Sat, Jun 13, 2009 at 01:24:29AM +0200, Giuseppe Iuculano wrote:
> The following SA (Secunia Advisory) id was published for git:
> 
> SA35437[1]:

Thanks Giuseppe.  Hi team@security, I prepared packages for lenny and
etch, and put them along with a debdiff here
 http://niequai.smarden.org/ruGho2e/

git-core v1.6.3.3, fixing the DoS in sid, will be uploaded tomorrow.

Regards, Gerrit.




Reply sent to Gerrit Pape <pape@smarden.org>:
You have taken responsibility. (Fri, 26 Jun 2009 10:21:06 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Fri, 26 Jun 2009 10:21:06 GMT) Full text and rfc822 format available.

Message #29 received at 532935-close@bugs.debian.org (full text, mbox):

From: Gerrit Pape <pape@smarden.org>
To: 532935-close@bugs.debian.org
Subject: Bug#532935: fixed in git-core 1:1.6.3.3-1
Date: Fri, 26 Jun 2009 09:37:00 +0000
Source: git-core
Source-Version: 1:1.6.3.3-1

We believe that the bug you reported is fixed in the latest version of
git-core, which is due to be installed in the Debian FTP archive:

git-arch_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-arch_1.6.3.3-1_all.deb
git-core_1.6.3.3-1.diff.gz
  to pool/main/g/git-core/git-core_1.6.3.3-1.diff.gz
git-core_1.6.3.3-1.dsc
  to pool/main/g/git-core/git-core_1.6.3.3-1.dsc
git-core_1.6.3.3.orig.tar.gz
  to pool/main/g/git-core/git-core_1.6.3.3.orig.tar.gz
git-cvs_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-cvs_1.6.3.3-1_all.deb
git-daemon-run_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-daemon-run_1.6.3.3-1_all.deb
git-doc_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-doc_1.6.3.3-1_all.deb
git-email_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-email_1.6.3.3-1_all.deb
git-gui_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-gui_1.6.3.3-1_all.deb
git-svn_1.6.3.3-1_all.deb
  to pool/main/g/git-core/git-svn_1.6.3.3-1_all.deb
gitk_1.6.3.3-1_all.deb
  to pool/main/g/git-core/gitk_1.6.3.3-1_all.deb
gitweb_1.6.3.3-1_all.deb
  to pool/main/g/git-core/gitweb_1.6.3.3-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 532935@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerrit Pape <pape@smarden.org> (supplier of updated git-core package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 23 Jun 2009 08:49:17 +0000
Source: git-core
Binary: git-core git-doc git-arch git-cvs git-svn git-email git-daemon-run git-gui gitk gitweb
Architecture: all source
Version: 1:1.6.3.3-1
Distribution: unstable
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Gerrit Pape <pape@smarden.org>
Description: 
 git-arch   - fast, scalable, distributed revision control system (arch interop
 git-core   - fast, scalable, distributed revision control system
 git-cvs    - fast, scalable, distributed revision control system (cvs interope
 git-daemon-run - fast, scalable, distributed revision control system (git-daemon s
 git-doc    - fast, scalable, distributed revision control system (documentatio
 git-email  - fast, scalable, distributed revision control system (email add-on
 git-gui    - fast, scalable, distributed revision control system (GUI)
 git-svn    - fast, scalable, distributed revision control system (svn interope
 gitk       - fast, scalable, distributed revision control system (revision tre
 gitweb     - fast, scalable, distributed revision control system (web interfac
Closes: 532935
Changes: 
 git-core (1:1.6.3.3-1) unstable; urgency=high
 .
   * new upstream point release.
     * daemon: Strictly parse the "extra arg" part of the command
       (closes: #532935; CVE-2009-2108).
   * debian/rules: add NO_CROSS_DIRECTORY_HARDLINKS=1 to OPTS.
   * debian/diff/0006-bug-520116-Makefile-do-not-install-cross...diff:
     remove; obsolete.
Checksums-Sha1: 
 ed972cb3a03bf031a410bc606fa417572b216fdb 1303 git-core_1.6.3.3-1.dsc
 8eb22cafe085d3297872f817106fc00ad1c7ea0b 2517144 git-core_1.6.3.3.orig.tar.gz
 ba38694c7d7034a1083109537abf2bb6ea51cbd4 293332 git-core_1.6.3.3-1.diff.gz
 9e87179e65a982123c4119556dd37e9d47f3251f 1200074 git-doc_1.6.3.3-1_all.deb
 64724cfae6742db9aae1bf984c26f8d5a5079cd0 293950 git-arch_1.6.3.3-1_all.deb
 11051438ae21cc0adaf90318e9a8a0530379a9d3 358116 git-cvs_1.6.3.3-1_all.deb
 68557104d05885d87ab0d6d8fce42beb8dfadd85 337226 git-svn_1.6.3.3-1_all.deb
 0646307fd17ca275c2fc214b8bb340ef5ba8de41 280608 git-daemon-run_1.6.3.3-1_all.deb
 322ef8e3de7d0c322a84ced3dd0a86214f6f2ea2 295460 git-email_1.6.3.3-1_all.deb
 3a7a8b7bdcb915aec9f5baffebbd038e6d111027 517946 git-gui_1.6.3.3-1_all.deb
 4e23742483b0be9681c76e562b75ae61961c829d 379914 gitk_1.6.3.3-1_all.deb
 2772a8461c3353f77a0c0cd27779a8604baf813f 339714 gitweb_1.6.3.3-1_all.deb
Checksums-Sha256: 
 40e3f26e7ce045b563c9aec94c0dbe8304cc03c702c4ddbf34fb4392695451da 1303 git-core_1.6.3.3-1.dsc
 4c54e4740762de25c688b70452b6d6ab4a84445c9d3799f4fd06bc0245f68bf4 2517144 git-core_1.6.3.3.orig.tar.gz
 e2624c943281e4ea1acaec61a643996f369844b0048e11fd4aa33f3dd1a47a65 293332 git-core_1.6.3.3-1.diff.gz
 3f611437613781fa0e675d2f171d71f82a7f82fb89a514ee1f435a27cb8b3c6a 1200074 git-doc_1.6.3.3-1_all.deb
 7b9271a356ecf728d8c2c469b0b1a819b8060acb680a95bdc578cc710afa2536 293950 git-arch_1.6.3.3-1_all.deb
 a22e5de5e88b6c5c1a02740a366495ca1a0d53a31f1dd386667b021cbf167ba0 358116 git-cvs_1.6.3.3-1_all.deb
 0316068366a285f2da72eb8fc96176522b0490c459803dedc52a8515a593f671 337226 git-svn_1.6.3.3-1_all.deb
 b9fd4deabda52b5f17c7282ea8f1de6b57a986374deb168d20384b7d934fc7dc 280608 git-daemon-run_1.6.3.3-1_all.deb
 0e753d41930721a8e121b05c8c5015257f31c2f48956fde2f5ede4147677a297 295460 git-email_1.6.3.3-1_all.deb
 f800016781807394dd687d4906f3411cbcaa96457d205f74b11e8f50c2c688c4 517946 git-gui_1.6.3.3-1_all.deb
 e2023781c02bffbed92aab2083246f475adfde4cd900cdd43db67986bc078485 379914 gitk_1.6.3.3-1_all.deb
 2b72d8f9502a81c535e1e791c94eac6bab23ed3878181eb851665338ab7c1ccf 339714 gitweb_1.6.3.3-1_all.deb
Files: 
 76e8600e8c130f0e8292b52d2c32a9d6 1303 vcs optional git-core_1.6.3.3-1.dsc
 a634d76881f3bd6b92cb1892ea5f88fe 2517144 vcs optional git-core_1.6.3.3.orig.tar.gz
 d40cd05726488566508ad84a77e82e52 293332 vcs optional git-core_1.6.3.3-1.diff.gz
 0573dbc5ff45ea6b165cd48d5a4f46e2 1200074 doc optional git-doc_1.6.3.3-1_all.deb
 8a3df21812e3901734d1c834d506f079 293950 vcs optional git-arch_1.6.3.3-1_all.deb
 0fff307719ce4739be887adb215c6182 358116 vcs optional git-cvs_1.6.3.3-1_all.deb
 58e36144ca172379133912614a4b6799 337226 vcs optional git-svn_1.6.3.3-1_all.deb
 6107789e5207f5af72d160e0671ab9d6 280608 vcs optional git-daemon-run_1.6.3.3-1_all.deb
 1e90adb3e31743b8ec64099e7a6ed658 295460 vcs optional git-email_1.6.3.3-1_all.deb
 4004dfc649f3c17d22b83a5f9f76d470 517946 vcs optional git-gui_1.6.3.3-1_all.deb
 f210e5f2844e133a68be681e62d634b1 379914 vcs optional gitk_1.6.3.3-1_all.deb
 7a1b923b397e1d7dc7e847279d828148 339714 vcs optional gitweb_1.6.3.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpEiB8ACgkQGJoyQbxwpv/h0QCdGxwhWo9Ugz0f483tBpfPlHkH
eecAn1qHoOA5FEAaizRoGB6S2S66O3Ld
=PmnB
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#532935; Package git-core. (Tue, 21 Jul 2009 21:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sebastian Harl <sh@tokkee.org>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Tue, 21 Jul 2009 21:33:04 GMT) Full text and rfc822 format available.

Message #34 received at 532935@bugs.debian.org (full text, mbox):

From: Sebastian Harl <sh@tokkee.org>
To: Gerrit Pape <pape@smarden.org>
Cc: Giuseppe Iuculano <giuseppe@iuculano.it>, 532935@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#532935: [SA35437] git-daemon Parameter Parsing Infinite Loop Denial of Service
Date: Tue, 21 Jul 2009 23:22:18 +0200
[Message part 1 (text/plain, inline)]
Hi,

On Thu, Jun 25, 2009 at 08:53:20AM +0000, Gerrit Pape wrote:
> On Sat, Jun 13, 2009 at 01:24:29AM +0200, Giuseppe Iuculano wrote:
> > The following SA (Secunia Advisory) id was published for git:
> > 
> > SA35437[1]:
> 
> Thanks Giuseppe.  Hi team@security, I prepared packages for lenny and
> etch, and put them along with a debdiff here
>  http://niequai.smarden.org/ruGho2e/

Did anything ever happen to those packages? I was unable to find any
further traces of them and the security tracker [1] still marks Etch and
Lenny as being vulnerable. Please note that I did not double-check that,
though.

TIA,
Sebastian

[1] http://security-tracker.debian.net/tracker/CVE-2009-2108

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.         -- Benjamin Franklin

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#532935; Package git-core. (Tue, 21 Jul 2009 22:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Tue, 21 Jul 2009 22:42:02 GMT) Full text and rfc822 format available.

Message #39 received at 532935@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Sebastian Harl <sh@tokkee.org>, 532935@bugs.debian.org
Cc: Gerrit Pape <pape@smarden.org>, Giuseppe Iuculano <giuseppe@iuculano.it>, team@security.debian.org
Subject: Re: Bug#532935: [SA35437] git-daemon Parameter Parsing Infinite Loop Denial of Service
Date: Wed, 22 Jul 2009 00:33:52 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Sebastian Harl <sh@tokkee.org> [2009-07-21 23:53]:
> On Thu, Jun 25, 2009 at 08:53:20AM +0000, Gerrit Pape wrote:
> > On Sat, Jun 13, 2009 at 01:24:29AM +0200, Giuseppe Iuculano wrote:
> > > The following SA (Secunia Advisory) id was published for git:
> > > 
> > > SA35437[1]:
> > 
> > Thanks Giuseppe.  Hi team@security, I prepared packages for lenny and
> > etch, and put them along with a debdiff here
> >  http://niequai.smarden.org/ruGho2e/
> 
> Did anything ever happen to those packages? I was unable to find any
> further traces of them and the security tracker [1] still marks Etch and
> Lenny as being vulnerable. Please note that I did not double-check that,
> though.

There is currently a build failure in the test suite on FTBFS that's why we 
are lacking updates and unfortunately Gerrit is not available at the moment
(see -private) so it is hard to track the reason. Maybe 
we'll have more luck on fixing this during the debconf.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#532935; Package git-core. (Wed, 22 Jul 2009 10:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Wed, 22 Jul 2009 10:45:07 GMT) Full text and rfc822 format available.

Message #44 received at 532935@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Sebastian Harl <sh@tokkee.org>, 532935@bugs.debian.org, Gerrit Pape <pape@smarden.org>, Giuseppe Iuculano <giuseppe@iuculano.it>, team@security.debian.org
Subject: Re: Bug#532935: [SA35437] git-daemon Parameter Parsing Infinite Loop Denial of Service
Date: Wed, 22 Jul 2009 12:33:14 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Nico Golde <nion@debian.org> [2009-07-22 00:44]:
> There is currently a build failure in the test suite on FTBFS that's why we 

s/on FTBFS/on i386 for lenny/
Sent the build logs to Sebastian.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 20 Aug 2009 07:30:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 13:05:28 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.