From tmz at pobox.com Fri Jun 12 04:02:06 2009 From: tmz at pobox.com (Todd Zullinger) Date: Fri, 12 Jun 2009 00:02:06 -0400 Subject: git daemon DoS Message-ID: <20090612040206.GD5076@inocybe.localdomain> Greetings, I'm seeking help and input in dealing with a git-daemon bug that was recently fixed upstream. Discussion of the bug and the patch for git's maint branch is in the git list archives: http://article.gmane.org/gmane.comp.version-control.git/120724 The patch in the first mail of the thread isn't what was queued in maint. What was committed is at: http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9 Of the active Fedora/EPEL branches, only devel and F-11 are recent enough for this to apply cleanly. The other branches required a small amount of reworking to account for changes made to git-daemon since the releases those branches were based upon. I don't think the backporting is all that difficult, but I am not a strong C coder. Any extra eyes on my backported patches would be most helpful. A simple way to test this against a git server, taken from the initial patch in the git list thread above: $ perl -e ' $s="git-upload-pack git\0user=me\0host=localhost\0"; printf "%4.4x%s",4+length $s,$s ' | nc $GITHOST 9418 This will cause the git-daemon process spawned via xinetd to enter an infinite loop. New requests will still be handled, as xinetd will spawn a new git-daemon process. But, of course, an attacker can easily cause many git-daemon processes to be started that will not exit. I've created patched packages with the backported patch for EL-{4,5} and F-10 (F-9 is in sync with F-10, so the same spec/srpm should work there). These packages and patches against current CVS are at: http://tmz.fedorapeople.org/tmp/git-daemon-extra-args/ (Apologies for the minor non-related changes in some of the diffs, as those were changes I had slated for release soon and didn't want to revert at the last minute.) Thanks for any time the good folks on this list could give to checking and/or testing these packages. I've not had time to see if any other distros have backported this fix to compare. If anyone has a moment to do so, it would be much appreciated. If it would be better to file this in bugzilla rather than discuss it here, let me know and I'll file it accordingly. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The kind of man who wants the government to adopt and enforce his ideas is always the kind of man whose ideas are idiotic. -- H. L. Mencken -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From thoger at redhat.com Fri Jun 12 08:13:14 2009 From: thoger at redhat.com (Tomas Hoger) Date: Fri, 12 Jun 2009 10:13:14 +0200 Subject: git daemon DoS In-Reply-To: <20090612040206.GD5076@inocybe.localdomain> References: <20090612040206.GD5076@inocybe.localdomain> Message-ID: <20090612101314.242f902d@redhat.com> Hi Todd! On Fri, 12 Jun 2009 00:02:06 -0400 Todd Zullinger wrote: > http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9 > > Of the active Fedora/EPEL branches, only devel and F-11 are recent > enough for this to apply cleanly. The other branches required a small > amount of reworking to account for changes made to git-daemon since > the releases those branches were based upon. I don't think the > backporting is all that difficult, but I am not a strong C coder. Any > extra eyes on my backported patches would be most helpful. Your backported patches seem to do the same thing as the upstream commit. Look good to me and seem to fix the issue in both F-10 and EL-4 version I quick-tested. > A simple way to test this against a git server, taken from the initial > patch in the git list thread above: > > $ perl -e ' > $s="git-upload-pack git\0user=me\0host=localhost\0"; > printf "%4.4x%s",4+length $s,$s > ' | nc $GITHOST 9418 Or | git-daemon --inetd --base-path=`pwd` --export-all as suggested in the upstream mailing list thread. > Thanks for any time the good folks on this list could give to checking > and/or testing these packages. I've not had time to see if any other > distros have backported this fix to compare. If anyone has a moment > to do so, it would be much appreciated. I'm not sure any distro already worked on backports, the issue does not seem to be fixed in any released git version yet. > If it would be better to file this in bugzilla rather than discuss it > here, let me know and I'll file it accordingly. Feel free to file in BZ, also for Bodhi update request reference. -- Tomas Hoger / Red Hat Security Response Team From tmz at pobox.com Sat Jun 13 18:07:21 2009 From: tmz at pobox.com (Todd Zullinger) Date: Sat, 13 Jun 2009 14:07:21 -0400 Subject: git daemon DoS In-Reply-To: <20090612101314.242f902d@redhat.com> References: <20090612040206.GD5076@inocybe.localdomain> <20090612101314.242f902d@redhat.com> Message-ID: <20090613180721.GM5076@inocybe.localdomain> Hello Tomas, Tomas Hoger wrote: > Your backported patches seem to do the same thing as the upstream > commit. Look good to me and seem to fix the issue in both F-10 and > EL-4 version I quick-tested. Great, thanks for checking and testing them. >> A simple way to test this against a git server, taken from the >> initial patch in the git list thread above: >> >> $ perl -e ' >> $s="git-upload-pack git\0user=me\0host=localhost\0"; >> printf "%4.4x%s",4+length $s,$s >> ' | nc $GITHOST 9418 > > Or | git-daemon --inetd --base-path=`pwd` --export-all as suggested > in the upstream mailing list thread. Yeah. My reason for using netcat was to show how the git-daemon processes built up and consumed CPU. :) > I'm not sure any distro already worked on backports, the issue does > not seem to be fixed in any released git version yet. Correct. I don't when a 1.6.3.3 is slated. Usually git doesn't go too long between releases, but Junio said he's been busier than normal in the last "What's cooking in git.git" note to the git list. > Feel free to file in BZ, also for Bodhi update request reference. Filed as https://bugzilla.redhat.com/show_bug.cgi?id=505761 Thanks, -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I do not believe in the collective wisdom of individual ignorance. -- Thomas Carlyle -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: