Btw, this other test case will trigger a similar issue, but in another line of
code:
To reproduce:
$ git init ; mkdir -p .git/objects/b2 ; printf
'eJwNwoENgDAIBECkDsII5Z8CHagLGPePXu59zjHGRIOZG3OzI/lnRc4KemXDPdYSml6iQ+4ATIZ+nAEK4g=='
| base64 -d > .git/objects/b2/93584ddd61af21260be75ee9f73e9d53f08cd0
Then:
$ git fsck
notice: HEAD points to an unborn branch (master)
=================================================================
==24569==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe7645fda0 at pc 0x0000006fe799 bp 0x7ffe7645fc40 sp 0x7ffe7645fc30
READ of size 1 at 0x7ffe7645fda0 thread T0
#0 0x6fe798 in parse_sha1_header_extended
/home/g/Work/Code/git-2.10.0/sha1_file.c:1714
...
It will be nice to test the current patch.
----- Original Message -----
> Junio C Hamano <[email protected]> writes:
>
> > I am inclined to say that it has no security implications. You have
> > to be able to write a bogus loose object in an object store you
> > already have write access to in the first place, in order to cause
> > this ...
>
> Note that you could social-engineer others to fetch from you and
> feed a small enough update that results in loose objects created in
> their repositories, without you having a direct write access to the
> repository.
>
> The codepath under discussion in this thread however cannot be used
> as an attack vector via that route, because the "fetch from
> elsewhere" codepath runs verification of the incoming data stream
> before storing the results (either in loose object files, or in a
> packfile) on disk.
>
>
