Bugzilla – Bug 971328
VUL-0: CVE-2016-2324, CVE-2016-2315: git: remote code execution via buffer overflow
Last modified: 2016-04-27 19:54:23 UTC
rh#1317981 There is a buffer overflow vulnerability possibly leading to remote code execution in git. It can happen while pushing or cloning a repository with a large filename or a large number of nested trees. References: http://seclists.org/oss-sec/2016/q1/645 References: https://bugzilla.redhat.com/show_bug.cgi?id=1317981 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2324 http://seclists.org/oss-sec/2016/q1/652 https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305 https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d
Debian separated both like: * CVE-2016-2315 is listed as being fixed by https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305 - Suggesting to me that CVE-2016-2315 is the more serious buffer overflow issue. * CVE-2016-2324 is listed as being fixed by https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d - Does this simply fix the issue of allocating much more memory than needed?
From a first read of CVE-2016-2324, It seems like a larger change then just allocating a bigger buffer, but I am still getting my head around the patch. It seems like its doing the string manipulation once in one place before passing into other functions. It seems like atleast in list-objects.c it is able to do the string manipulation safely as it has access to the path length. Given the number of callbacks I'm still not 100% certain yet.
My understanding is that, since path_name() concatenate pieces of strings in a list, this may end up with more than 32bit integer size. Then the newly calculated size gets truncated in 32bit int, which is smaller than the requested size, and the strcpy/memcpy overflows this smaller buffer. Unfortunately, the upstream fix for CVE-2016-2324 -- to drop the whole path_name() usage -- doesn't apply the code prior to git-2.2 well. There was a big change in reachable.c and else before that version. That said, the upstream fix is applicable only for Leap 42.1, and the packages for other releases would need a different fix than the upstream, in anyway. An easy fix would be just to calculate the size in path_name() properly with size_t, as mentioned in the discussion thread. Maybe it's better to bail out when the size gets over 32bit there. The impact of the bug is... well, I guess it's not so easy to reproduce. The path name length needs to be more than 32bit, i.e. the resource required to get the overflow is already very high. My guess is that you'll get a segfault before that on most systems, especially when running on a VM, since the allocation of strings that are passed to path_name() itself would fail, and there is no NULL check after malloc() in the relevant code. But I might overlook something obvious, of course...
The attached below is a trivial fix patch for CVE-2016-2324. The package in OBS home:tiwai:branches:OBS_Maintained:git/git.openSUSE_Leap_42.1_Update contains the upstream fix, total 6 patches. The packages in OBS home:tiwai:branches:OBS_Maintained:git/git.openSUSE_13.2_Update and in IBS home:tiwai:branches:OBS_Maintained:git/git.SUSE_SLE-11-SP1_Update home:tiwai:branches:OBS_Maintained:git/git.SUSE_SLE-12_Update are with the upstream patch for CVE-2016-2315 and my fix patch. All packages are totally untested yet :)
Created attachment 669288 [details] Test fix patch
This is an autogenerated message for OBS integration: This bug (971328) was mentioned in https://build.opensuse.org/request/show/373731 42.1 / git https://build.opensuse.org/request/show/373734 13.2 / git
there were more emails... From: La=c3=abl Cellier <lael.cellier@...oste.net> To: oss-security@...ts.openwall.com, website@...se.com Subject: Re: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315 ) Oh���������� Big mistake. I might advertised too soon. I saw changes were pushed in master, so I thought the next version (which was 2.7.1) would be the one which will include the fix. But as pointed out on https://security-tracker.debian.org/tracker/CVE-2016-2324 no versions including the fixes were released yet, and even 2.7.3 still include path_name(). I didn�t checked the code (Sorrrry). So the only way to fix it is to draw your compilers and compile the current master branch at https://git.kernel.org/cgit/git/git.git/. Or do like github did by using the patches at http://thread.gmane.org/gmane.comp.version-control.git/286253 and http://thread.gmane.org/gmane.comp.version-control.git/286008 I�m really sorry�
cc'ing openSUSE cgit maintainer
The git package for TW was also submitted to OBS devel:tools:scm. Andreas, please check it. All cgit packages contain git-2.7.0, so CVE-2016-2324 isn't fixed there yet. I submitted the fixed cgit packages with the same backports now.
This is an autogenerated message for OBS integration: This bug (971328) was mentioned in https://build.opensuse.org/request/show/373842 13.2 / cgit https://build.opensuse.org/request/show/373845 42.1 / cgit
SUSE-SU-2016:0796-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 971328 CVE References: CVE-2016-2315,CVE-2016-2324 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): git-1.8.5.6-18.1 SUSE Linux Enterprise Software Development Kit 12 (src): git-1.8.5.6-18.1 SUSE Linux Enterprise Server 12-SP1 (src): git-1.8.5.6-18.1 SUSE Linux Enterprise Server 12 (src): git-1.8.5.6-18.1
bugbot adjusting priority
SUSE-SU-2016:0798-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 971328 CVE References: CVE-2016-2315,CVE-2016-2324 Sources used: SUSE OpenStack Cloud 5 (src): git-1.7.12.4-0.14.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): git-1.7.12.4-0.14.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): git-1.7.12.4-0.14.1
This is an autogenerated message for OBS integration: This bug (971328) was mentioned in https://build.opensuse.org/request/show/374127 13.1+Evergreen:11.4 / git https://build.opensuse.org/request/show/374130 Evergreen:11.4+13.1 / cgit
The fixes have been merged to all relevant branches, I suppose. Reassigning back to security team.
released leap and 13.2, fix for facvtory is in queue ...
openSUSE-SU-2016:0802-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 971328 CVE References: CVE-2016-2315,CVE-2016-2324 Sources used: openSUSE Leap 42.1 (src): git-2.6.2-3.1 openSUSE 13.2 (src): git-2.1.4-19.1
openSUSE-SU-2016:0803-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 971328 CVE References: CVE-2016-2315,CVE-2016-2324 Sources used: openSUSE Leap 42.1 (src): cgit-0.12-9.1 openSUSE 13.2 (src): cgit-0.12-13.9.1
Fixed upstream in v2.7.4, v2.6.6, v2.5.5, v2.4.11
(In reply to Andreas Stieger from comment #24) > Fixed upstream in v2.7.4, v2.6.6, v2.5.5, v2.4.11 Thanks. I submitted the update to 2.6.6 for openSUSE Leap again.
This is an autogenerated message for OBS integration: This bug (971328) was mentioned in https://build.opensuse.org/request/show/374799 42.1 / git
From: Laël Cellier <lael.cellier@laposte.net> To: oss-security <oss-security@lists.openwall.com> Date: Fri, 18 Mar 2016 00:20:27 +0100 Subject: [oss-security] Re: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315) On 16/03/2016 16:40, Stefan Cornelius wrote: > Hi, > > I'm Stefan Cornelius of Red Hat Product Security. Obviously, we're > currently working on the Git security issues. > > In one of the emails to oss-sec you mention that you have some kind of > reproducer for CVE-2016-2315. > > Would you please be kind enough to share this reproducer with us? Unfortunately, I can currently only share early work based on a modified version of gitdb which can222t create a packfile (Maybe I will be able to upload the full gitdb version in a few weeks). You can find it as an attachment along an example file. This email contains a vulnerable version of git with libasan https://github.com/google/sanitizers and no optimizations which helped me to identify the issue. When I pushed that large repository, libasan printed a stack trace which ended on strcpy() in path_name.c (just cat 2GB.txt in a terminal) Either way once you have packfile, you need to create a network payload. Since my vector was ssh I used the good vim editor on the packfile in order to add the missing informations (nul bytes included) (since everything is text based outside the packfile). Doing it manually was much faster than trying to create a script. I included an example for ssh which will fill ram if cloned or pushed (without doing anything related to the vulnerability). It should help demonstrating how to produce one for triggering rce. For those who don222t want to try it. I included a crafted repo ready for use which will crash affected versions. It will help distributions testing their own patches. Of course everything I did was about strcpy() and don222t contains executable code (though putting some shoud be easy). For other vulnerabilities based on that size_t to int truncation, just ask Peff at GitHub, inc. He did is own testing. > It would help us tremendously. We will not share the reproducer with > third parties and will only use it for our internal testing. On the contrary, please make them widely available so other distributions can test their own patches faster. > Thank you very much and kind regards, regards, The attachments being too large, you can download them on http://ytrezq.sdfeu.org/git/reproducer.zip
openSUSE-SU-2016:0826-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 971328 CVE References: CVE-2016-2315,CVE-2016-2324 Sources used: openSUSE Evergreen 11.4 (src): git-1.7.3.4-4.14.1
openSUSE-SU-2016:0829-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 971328 CVE References: CVE-2016-2315,CVE-2016-2324 Sources used: openSUSE 13.1 (src): cgit-0.12-11.12.1
openSUSE-SU-2016:0831-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 971328 CVE References: CVE-2016-2315,CVE-2016-2324 Sources used: openSUSE Evergreen 11.4 (src): cgit-0.8.3.3-5.11.1
openSUSE-SU-2016:0832-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 971328 CVE References: CVE-2016-2315,CVE-2016-2324 Sources used: openSUSE 13.1 (src): git-1.8.4.5-3.14.1
openSUSE-SU-2016:0958-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 971328 CVE References: CVE-2016-2315,CVE-2016-2324 Sources used: openSUSE Leap 42.1 (src): git-2.6.6-7.1