Integer truncation and overflow vulnerabilities in Git (CVE-2016-2315, CVE-2016-2324)

Red Hat Product Security has been made aware of vulnerabilities in Git where an integer truncation flaw (CVE-2016-2315) and an integer overflow flaw (CVE-2016-2324) could lead to a heap-based buffer overflow and consequently to remote code execution.

Overview

Git uses a special format to exchange repository information between the server and clients. This is known as the packfile format.

An attacker could create a specially crafted packfile that, when sent to a vulnerable server or client, could trigger an integer truncation or overflow when being processed, ultimately resulting in memory corruption.

Background

Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

Affected versions

Red Hat's released and supported versions of Git for Red Hat Enterprise Linux and Red Hat Software Collections are affected, as noted in the list of affected products within the Resolution section below. Additionally, all upstream versions of Git prior to versions 2.4.11, 2.5.5, 2.6.6, and 2.7.4 are also affected by these flaws.

Attack description and impact

The root causes of the vulnerabilities are an integer truncation and an integer overflow issue within the path_name() function in the revision.c source file, which is used by Git to process path information. The weakness is that this function fails to completely sanitize possibly malicious data that has been received, as part of a specially crafted Git packfile sent by an attacker, before processing it, which can lead to memory corruption and, possibly, the execution of arbitrary code.

The packfile format is used by Git internally to efficiently exchange repository information. Git uses a number of helper tools to generate packfiles and send or receive them across Git endpoints, and an attacker could create a specially crafted packfile containing a long path name (231 bytes, roughly 2 gigabytes) or a tree of path elements that would trigger the vulnerabilities in the path_name() function when being processed.

One such packfile has been created and posted publicly. It could be used to attack both clients and servers.

In order to attack a vulnerable server, an attacker would have to act as a Git client and send the specially crafted packfile to the vulnerable server, for example as part of a push operation. The vulnerable server would receive the malicious packfile from the malicious Git client and, when processing the contained path information, trigger the vulnerabilities in the path_name() function. Generally, such an operation requires authentication. The attacker would have to successfully pass this authentication for the attack to succeed.

To attack a client, an attacker could set up a malicious Git repository on a Git server and trick an unsuspecting user into cloning the repository. The client would then download the malicious packfile from the server and, subsequently, would trigger the vulnerabilities when trying to process it.

Although the raw, uncompressed size of the packfile would be around 2 gigabytes due to the requirement for huge path data, this does not mean that an attacker would have to send multiple gigabytes of data over the network. Due to the compression used by the packfile format internally, and potential further compression depending on the transport mechanism (for example SSH), it may be possible to exploit the vulnerabilities with only 200 megabytes of total network transferred data.

Resolution

All Git users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Before applying this update, make sure all previously released errata relevant to your system have been applied.

Product Package Advisory
Red Hat Enterprise Linux 6 git RHSA-2016-0496
Red Hat Enterprise Linux 7 git RHSA-2016-0496
Red Hat Software Collections git19-git RHSA-2016-0497

Frequently Asked Questions

I run a Git server. What's my exposure?

You are vulnerable if an attacker is able to push malicious data to a hosted Git repository. If this requires authentication, the attacker would have to successfully pass the authentication.

I run a Git client. What's my exposure?

An attacker could trick you into cloning from an untrusted or compromised Git repository to exploit this vulnerability.