Two vulnerabilities (CVE-2016-2315 and CVE-2016-2324), which feature a heap corruption and buffer overflow, were announced this week in all Git client/server versions before version 2.7.4. Both vulnerabilities have the potential to allow a remote authenticated attacker to perform remote code execution or Denial of Service (DoS) by pushing or cloning a repository with a large filename or large number of nested trees.
The vulnerabilities, identified by Laël Cellier, are a result of the use of the function
path_name() to append the filename at the end of the path in a repository tree. The function makes use of two signed integers (
len), which can be positive or negative, resulting in the possibility of an integer overflow. Passing a very large file name or number into
strlen() will overflow
len with a negative value. Finally, the usage of
strcpy() will copy the large filename over the small amount of memory allocated, resulting in a heap overflow.
Security is a core value that we take very seriously to ensure the integrity of your data. As of Thursday, March 17, all affected Catalyze systems have been patched to address these vulnerabilities. We also suggest to update your personal systems to the latest Git version (2.7.4).