git daemon DoS

[Tomas Hoger]

Hi Todd!

On Fri, 12 Jun 2009 00:02:06 -0400 Todd Zullinger <tmz at pobox.com> wrote:

>     http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9
> 
> Of the active Fedora/EPEL branches, only devel and F-11 are recent
> enough for this to apply cleanly.  The other branches required a small
> amount of reworking to account for changes made to git-daemon since
> the releases those branches were based upon.  I don't think the
> backporting is all that difficult, but I am not a strong C coder.  Any
> extra eyes on my backported patches would be most helpful.

Your backported patches seem to do the same thing as the upstream
commit.  Look good to me and seem to fix the issue in both F-10 and
EL-4 version I quick-tested.

> A simple way to test this against a git server, taken from the initial
> patch in the git list thread above:
> 
> $ perl -e '
>     $s="git-upload-pack git\0user=me\0host=localhost\0";
>     printf "%4.4x%s",4+length $s,$s
> ' | nc $GITHOST 9418

Or | git-daemon --inetd --base-path=`pwd` --export-all as suggested in
the upstream mailing list thread.

> Thanks for any time the good folks on this list could give to checking
> and/or testing these packages.  I've not had time to see if any other
> distros have backported this fix to compare.  If anyone has a moment
> to do so, it would be much appreciated.

I'm not sure any distro already worked on backports, the issue does not
seem to be fixed in any released git version yet.

> If it would be better to file this in bugzilla rather than discuss it
> here, let me know and I'll file it accordingly.

Feel free to file in BZ, also for Bodhi update request reference.

-- 
Tomas Hoger / Red Hat Security Response Team