Package: git-core
Severity: grave
Tags: security
A buffer overflow bug has been discovered in GIT. Upstream version
1.1.5 fixes it, too.
Author: Junio C Hamano <[EMAIL PROTECTED]> 2006-01-27 23:44:07
Committer: Junio C Hamano <[EMAIL PROTECTED]> 2006-01-27 23:44:07
Parent: e921fb82cf6fb4a5f138ec9d27bc37c658336a8c (git-fetch-pack: really do not
ask for funny refs)
Child: ca182053c7710a286d72102f4576cf32e0dafcfb (GIT 1.0.13)
checkout: do not make a temporary copy of symlink target.
If the index records an insanely long symbolic link, copying
into the temporary would overflow the buffer (noticed by Mark
Wooding).
Because read_sha1_file() terminates the returned buffer with NUL
since late May 2005, there is no reason to copy it anymore.
Signed-off-by: Junio C Hamano <[EMAIL PROTECTED]>
----------------------------------- entry.c -----------------------------------
index 410b758..6c47c3a 100644
@@ -68,11 +68,10 @@ static int write_entry(struct cache_entr
int fd;
void *new;
unsigned long size;
long wrote;
char type[20];
- char target[1024];
new = read_sha1_file(ce->sha1, type, &size);
if (!new || strcmp(type, "blob")) {
if (new)
free(new);
@@ -92,16 +91,14 @@ static int write_entry(struct cache_entr
free(new);
if (wrote != size)
return error("git-checkout-index: unable to write file
%s", path);
break;
case S_IFLNK:
- memcpy(target, new, size);
- target[size] = '\0';
- if (symlink(target, path)) {
+ if (symlink(new, path)) {
free(new);
- return error("git-checkout-index: unable to create
symlink %s (%s)",
- path, strerror(errno));
+ return error("git-checkout-index: unable to create "
+ "symlink %s (%s)", path, strerror(errno));
}
free(new);
break;
default:
free(new);
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
