These patches are proposed for maint (but also apply cleanly to
master).
I presume that this is exploitable via Git commands, though I haven't
verified it explicitly [1].
I *think* that the rest of the file is OK. open_output_fd() initially
looks suspicious, because it strcpy()s a string onto the end of its
path argument. But that is only done when to_tempfile is set, which
in turn is handled consistently up the callstack up to the point where
it is initially set in checkout_entry() if topath is not NULL. So as
long as the caller obeys checkout_entry()'s docstring and passes a
long enough buffer for topath, I think everything is OK. In any case,
the string appended in open_output_fd() is not under the control of
the user, so even if there were a bug in this code path it shouldn't
be exploitable.
[1] For example, it is conceivable that there are some checks when
writing a tree that prevent files with such long names from being
written by Git. But even if so, it is clearly a bug that could be
hit locally on any filesystem where PATH_MAX is not a hard limit.
Michael Haggerty (2):
checkout_entry(): use the strbuf throughout the function
entry.c: fix possible buffer overflow in remove_subtree()
entry.c | 64 ++++++++++++++++++++++++++++++++--------------------------------
1 file changed, 32 insertions(+), 32 deletions(-)
--
1.9.0
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
