git daemon DoS

Fri Jun 12 04:02:06 UTC 2009

Greetings,

I'm seeking help and input in dealing with a git-daemon bug that was
recently fixed upstream.  Discussion of the bug and the patch for
git's maint branch is in the git list archives:

    http://article.gmane.org/gmane.comp.version-control.git/120724

The patch in the first mail of the thread isn't what was queued in
maint.  What was committed is at:

    http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9

Of the active Fedora/EPEL branches, only devel and F-11 are recent
enough for this to apply cleanly.  The other branches required a small
amount of reworking to account for changes made to git-daemon since
the releases those branches were based upon.  I don't think the
backporting is all that difficult, but I am not a strong C coder.  Any
extra eyes on my backported patches would be most helpful.

A simple way to test this against a git server, taken from the initial
patch in the git list thread above:

$ perl -e '
    $s="git-upload-pack git\0user=me\0host=localhost\0";
    printf "%4.4x%s",4+length $s,$s
' | nc $GITHOST 9418

This will cause the git-daemon process spawned via xinetd to enter an
infinite loop.  New requests will still be handled, as xinetd will
spawn a new git-daemon process.  But, of course, an attacker can
easily cause many git-daemon processes to be started that will not
exit.

I've created patched packages with the backported patch for EL-{4,5}
and F-10 (F-9 is in sync with F-10, so the same spec/srpm should work
there).  These packages and patches against current CVS are at:

    http://tmz.fedorapeople.org/tmp/git-daemon-extra-args/

(Apologies for the minor non-related changes in some of the diffs, as
those were changes I had slated for release soon and didn't want to
revert at the last minute.)

Thanks for any time the good folks on this list could give to checking
and/or testing these packages.  I've not had time to see if any other
distros have backported this fix to compare.  If anyone has a moment
to do so, it would be much appreciated.

If it would be better to file this in bugzilla rather than discuss it
here, let me know and I'll file it accordingly.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The kind of man who wants the government to adopt and enforce his
ideas is always the kind of man whose ideas are idiotic.
    -- H. L. Mencken

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-security-list/attachments/20090612/e7540e61/attachment.sig>