git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [ANNOUNCE] GIT 1.1.5
@ 2006-01-28  4:48 Junio C Hamano
  2006-01-31 17:38 ` Eric Sandall
  0 siblings, 1 reply; 2+ messages in thread
From: Junio C Hamano @ 2006-01-28  4:48 UTC (permalink / raw)
  To: git; +Cc: linux-kernel

The latest maintenance release GIT 1.1.5 is available at the
usual places:

	http://www.kernel.org/pub/software/scm/git/

	git-1.1.5.tar.{gz,bz2}			(tarball)
	RPMS/$arch/git-*-1.1.5-1.$arch.rpm	(RPM)

Mark Wooding noticed that there is a bug in git-checkout-index
to overflow its internal buffer, if you construct a blob that
records an insanely long symbolic link in your index file and
try to check it out.  This makes it dump core or worse.  

The fix for this problem is the only change from v1.1.4.  The
master branch has been updated with the same fix (so has "pu").


---

By the way, "dump core or worse" is a subtle way to say that
this is a security fix.  To be victimized, you have to somehow
first get such a bogus symbolic link in your index.  Merging
with somebody of dubious trustworthiness is a way to do so;
please practice safe merge ;-).

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [ANNOUNCE] GIT 1.1.5
  2006-01-28  4:48 [ANNOUNCE] GIT 1.1.5 Junio C Hamano
@ 2006-01-31 17:38 ` Eric Sandall
  0 siblings, 0 replies; 2+ messages in thread
From: Eric Sandall @ 2006-01-31 17:38 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: git

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 27 Jan 2006, Junio C Hamano wrote:
> The latest maintenance release GIT 1.1.5 is available at the
> usual places:
>
> 	http://www.kernel.org/pub/software/scm/git/
>
> 	git-1.1.5.tar.{gz,bz2}			(tarball)
> 	RPMS/$arch/git-*-1.1.5-1.$arch.rpm	(RPM)
>
> Mark Wooding noticed that there is a bug in git-checkout-index
> to overflow its internal buffer, if you construct a blob that
> records an insanely long symbolic link in your index file and
> try to check it out.  This makes it dump core or worse.
>
> The fix for this problem is the only change from v1.1.4.  The
> master branch has been updated with the same fix (so has "pu").
>
>
> ---
>
> By the way, "dump core or worse" is a subtle way to say that
> this is a security fix.  To be victimized, you have to somehow
> first get such a bogus symbolic link in your index.  Merging
> with somebody of dubious trustworthiness is a way to do so;
> please practice safe merge ;-).

I've updated the Source Mage GNU/Linux package, thanks!

- -sandalle

- --
Eric Sandall                     |  Source Mage GNU/Linux Developer
eric@sandall.us                  |  http://www.sourcemage.org/
http://eric.sandall.us/          |  SysAdmin @ Inst. Shock Physics @ WSU
http://counter.li.org/  #196285  |  http://www.shock.wsu.edu/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD36CPHXt9dKjv3WERAhpUAKCXdVE+RgUUEY2BGl2jf0Bicdo7lgCgu/PJ
yfRqXjYEzA8etWJBWQ+fK7E=
=4UVq
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-01-31 17:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-01-28  4:48 [ANNOUNCE] GIT 1.1.5 Junio C Hamano
2006-01-31 17:38 ` Eric Sandall

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).