From: Eygene Ryabinkin <rea-git@codelabs.ru>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: git@vger.kernel.org
Subject: Re: Memory overrun in http-push.c
Date: Thu, 1 Mar 2007 08:19:28 +0300 [thread overview]
Message-ID: <20070301051928.GH57456@codelabs.ru> (raw)
In-Reply-To: <87tzx6i6hw.fsf@mid.deneb.enyo.de>
Florian, good day!
> > Spotted the memory overrun in the http-push.c. Exists at least in
> > 1.5.0.x, not sure about latest development branch. The patch is
> > attached.
>
> Is this issue security-relevant? After all, the misplaced pointer is
> dereferenced and written to.
It can be relevant: basically, it is the heap overflow, because
'url' is allocated by xmalloc. Did not tried to exploit it, but
old sudo exploit proved that even one byte off memory dereference
can be exploited. But this particular exploit will work only for
the URLs where the 'path' is shorter than 10 bytes. And I doubt
that many people are running http-push in the set-uid mode, so
the exploit target will be the person running git-push over HTTP,
not the root user. But it does not mean that this is not an issue.
Sorry for the long letter.
--
Eygene
prev parent reply other threads:[~2007-03-01 5:19 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-28 15:15 Memory overrun in http-push.c Eygene Ryabinkin
2007-02-28 15:41 ` Andy Parkins
2007-02-28 15:42 ` Johannes Schindelin
2007-03-01 5:13 ` Eygene Ryabinkin
2007-03-01 8:15 ` Alex Riesen
2007-03-01 9:11 ` Eygene Ryabinkin
2007-03-01 9:21 ` Alex Riesen
2007-03-01 11:26 ` Eygene Ryabinkin
2007-03-01 9:32 ` Junio C Hamano
2007-03-01 10:04 ` Alex Riesen
2007-03-01 10:40 ` Andy Parkins
2007-03-01 12:00 ` Eygene Ryabinkin
2007-03-01 12:08 ` Junio C Hamano
2007-03-01 13:20 ` Eygene Ryabinkin
2007-03-01 17:11 ` Johannes Schindelin
2007-03-01 18:31 ` Andy Parkins
2007-03-01 18:41 ` Johannes Schindelin
2007-03-01 19:31 ` Andy Parkins
2007-03-01 20:43 ` Johannes Schindelin
2007-03-02 10:05 ` Andy Parkins
2007-03-02 14:46 ` Jakub Narebski
2007-03-02 15:22 ` Andy Parkins
2007-03-02 19:16 ` Johannes Schindelin
2007-03-02 19:42 ` Andy Parkins
2007-03-04 8:17 ` Daniel Barkalow
2007-03-04 8:31 ` Junio C Hamano
2007-03-04 9:18 ` Daniel Barkalow
2007-03-01 21:43 ` Alex Riesen
2007-03-01 21:54 ` Shawn O. Pearce
2007-03-01 17:52 ` Uwe Kleine-König
2007-03-02 14:38 ` Jakub Narebski
2007-03-02 15:17 ` Johannes Schindelin
2007-03-02 22:52 ` identifying blobs (was Re: Memory overrun in http-push.c) Junio C Hamano
2007-03-02 23:10 ` Linus Torvalds
2007-03-02 15:23 ` Memory overrun in http-push.c Andy Parkins
2007-03-02 15:30 ` Matthieu Moy
2007-03-02 15:48 ` Andy Parkins
2007-02-28 16:36 ` Florian Weimer
2007-03-01 5:19 ` Eygene Ryabinkin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070301051928.GH57456@codelabs.ru \
--to=rea-git@codelabs.ru \
--cc=fw@deneb.enyo.de \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.