Git can potentially be tricked into running remote code via a buffer overflow while working with very long path names:
I didn't see this when it was originally disclosed so it's at least a month old now (more like two months since the earlier disclosure?). The first issue is fixed in Git 2.7.1 and the second in Git 2.7.4, it seems.
An attacker would exploit this by publishing an evil repository and tricking a victim into cloning it, or possibly by pushing an evil commit to a writable repository. This evil repository or commit would have very long path names (a path longer than 2GB, I think?) to cause an integer to overflow and then overflow a buffer.
The discussion focuses on the client aspect of this and it's not clear if git-receive-pack (or other server-side operations like garbage collection) are vulnerable or not, but I'd guess they are.
We probably can not prevent this directly in any reasonable way at our current levels of Git technology. We could place a limit on path lengths (say, 1GB), which could prevent an evil repository from being hosted permanently on Phabricator, but git reads the path before we can act so this couldn't necessarily prevent an attacker from exploiting the issue.
Instead, I plan to:
- Add a warning to Phabricator that git on the server is older than 2.7.4.
- Likely add a warning to arc that git on the client is older than 2.7.4.
- Update git in the Phacility cluster.