Bug 16913

Summary: git 2.3.10 security update (including CVE-2015-7545)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, shlomif, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/660668/
Whiteboard: advisory MGA5-64-OK
Source RPM: git-2.3.8-1.mga5.src.rpm CVE:
Status comment:
Attachments: The Git test procedure that I used in the output of the script command.

Description David Walser 2015-10-06 19:51:21 CEST 
A CVE was requested for a fix in git 2.3.10 and 2.6.1:
http://openwall.com/lists/oss-security/2015/10/06/1

git 2.3.9 and 2.3.10 also contain fixes for potential overflow issues.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
----------------------------------------

The git package has been updated to version 2.3.10, fixing a few security
issues.  These include buffer and integer overflow issues with long file path
names and large files, as well as a remote code execution flaw with some
protocols like git-remote-ext and specially crafted URLs.  See the upstream
release notes for details.

References:
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.3.9.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.3.10.txt
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
git-2.3.10-1.mga5
git-core-2.3.10-1.mga5
gitk-2.3.10-1.mga5
gitview-2.3.10-1.mga5
libgit-devel-2.3.10-1.mga5
git-svn-2.3.10-1.mga5
git-cvs-2.3.10-1.mga5
git-arch-2.3.10-1.mga5
git-email-2.3.10-1.mga5
perl-Git-2.3.10-1.mga5
git-core-oldies-2.3.10-1.mga5
gitweb-2.3.10-1.mga5
git-prompt-2.3.10-1.mga5

from git-2.3.10-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Dave Hodgins 2015-10-09 00:29:33 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 Shlomi Fish 2015-10-10 15:01:52 CEST 
Since there was no Proof-of-Concept , I just tested normal git use in an x86-64 VM. Adding MGA5-64-OK . I'll attach the output of the script file (possibly useful as a future procedure) soon.

CC: (none) => shlomif
Whiteboard: advisory => advisory MGA5-64-OK

Comment 2 Shlomi Fish 2015-10-10 15:03:26 CEST 
Created attachment 7111 [details]
The Git test procedure that I used in the output of the script command.
Comment 3 David Walser 2015-10-10 15:15:02 CEST 
Can anyone verify that Bug 16861 does not affect this update?
Comment 4 Shlomi Fish 2015-10-11 10:03:08 CEST 
(In reply to David Walser from comment #3)
> Can anyone verify that Bug 16861 does not affect this update?

git works fine in an English locale, and from what I know , gitk is not necessary to use git, so it seems like a separate issue.
Comment 5 claire robinson 2015-10-12 09:17:19 CEST 
Validating. Thanks.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-10-13 19:49:47 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0396.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-10-14 19:23:28 CEST

URL: (none) => http://lwn.net/Vulnerabilities/660668/

Comment 7 David Walser 2015-12-08 16:17:09 CET 
(In reply to David Walser from comment #0)
> as well as a remote code execution flaw with some protocols like
> git-remote-ext and specially crafted URLs

This issue has been assigned CVE-2015-7545:
http://openwall.com/lists/oss-security/2015/12/08/5

Summary: git 2.3.10 security update => git 2.3.10 security update (including CVE-2015-7545)