Hi, I'd like to upload a new git-core package to proposed-updates in order to fix http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590026.
This is a security issue but we don't plan to issue a DSA for this. Since Gerrit Pape is currently not available from what I know I prepared an NMU for s-p-u to fix this. Please let me know if I'm allowed to upload this. debdiff attached. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
diff -u git-core-1.5.6.5/debian/changelog git-core-1.5.6.5/debian/changelog --- git-core-1.5.6.5/debian/changelog +++ git-core-1.5.6.5/debian/changelog @@ -1,3 +1,12 @@ +git-core (1:1.5.6.5-3+lenny4.1) stable; urgency=high + + * Non-maintainer upload. + * debian/diff/0009-CVE-2010-2542.diff: + new; fix stack-based buffer overflow in handling gitdir + paths (Closes: #590026). + + -- Nico Golde <n...@debian.org> Tue, 27 Jul 2010 15:44:10 +0000 + git-core (1:1.5.6.5-3+lenny3) stable-security; urgency=high * debian/diff/0008-git-cvsserver-allow-regex-metacharacters-...diff: only in patch2: unchanged: --- git-core-1.5.6.5.orig/debian/diff/0009-CVE-2010-2542.diff +++ git-core-1.5.6.5/debian/diff/0009-CVE-2010-2542.diff @@ -0,0 +1,15 @@ +X-Git-Url: http://git.kernel.org/?p=git%2Fgit.git;a=blobdiff_plain;f=setup.c;h=3bb046118cb612b16f35fa016032d1486c6e7190;hp=0e4cfe603f1afe515365c9daf1ad8406de8e7fa8;hb=3c9d0414ed2db0167e6c828b547be8fc9f88fccc;hpb=c173dad58787a7f11a526dbcdaa5a2fe9ff1c87f + +diff --git a/setup.c b/setup.c +index 0e4cfe6..3bb0461 100644 +--- a/setup.c ++++ b/setup.c +@@ -170,6 +170,8 @@ static int is_git_directory(const char *suspect) + char path[PATH_MAX]; + size_t len = strlen(suspect); + ++ if (PATH_MAX <= len + strlen("/objects")) ++ die("Too long path: %.*s", 60, suspect); + strcpy(path, suspect); + if (getenv(DB_ENVIRONMENT)) { + if (access(getenv(DB_ENVIRONMENT), X_OK))
pgp1llry5q11E.pgp
Description: PGP signature
