Bug 18013

Summary: git new security issues CVE-2016-2324 and CVE-2016-2315
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, herman.viaene, mageia, shlomif, sysadmin-bugs, thierry.vignaud, tmb
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/680320/
Whiteboard: advisory MGA5-32-OK
Source RPM: git-2.3.10-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-15 17:22:21 CET 
Some details on security issues fixed in git 2.7.1 were released today (March 15):
http://openwall.com/lists/oss-security/2016/03/15/5

The commit 34fa79a they mention never made it into the 2.3.10 release, which we have in Mageia 5, and commits were not listed for the fixes in 2.7.1 that fully fixed these issues.

The 2.3 branch has not had any more releases.  I'd guess we just need to update to 2.7.3, but I don't know if updating Mageia 5 to the 2.7 branch would cause any issues.
David Walser 2016-03-15 17:22:39 CET

CC: (none) => mageia, thierry.vignaud, tmb

Comment 1 Colin Guthrie 2016-03-15 17:26:25 CET 
Personally, I don't think we need to worry about updating to 2.7.3. I've generally followed cauldron and work quite a lot with various git repos and never had an issue.

I vote we just update MGA5 to latest version. Any objections?

Note we should also rebuild/update cgit as part of this change too (I think it's already updated to newer git in MGA5 but probably still needs updating - and at very least checked).
Comment 2 David Walser 2016-03-15 17:27:44 CET 
Thanks for the reminder about cgit.  I suspect updating to 2.7.3 should be just fine as well.
Comment 3 Shlomi Fish 2016-03-15 18:21:34 CET 
I support updating to git-2.7.3 as well.
Comment 4 Shlomi Fish 2016-03-16 11:09:17 CET 
(In reply to David Walser from comment #2)
> Thanks for the reminder about cgit.  I suspect updating to 2.7.3 should be
> just fine as well.

Can I proceed with upgrading git to 2.7.3 in Mageia v5? There seems to be a consensus that it's the best way.

Regards,

-- Shlomi Fish
Comment 5 David Walser 2016-03-16 11:32:25 CET 
Thanks Shlomi.  Yes, please proceed.

Colin, would you mind taking care of cgit?
Comment 6 Colin Guthrie 2016-03-16 11:34:13 CET 
(In reply to David Walser from comment #5)
> Colin, would you mind taking care of cgit?

Will do!
Comment 7 Colin Guthrie 2016-03-16 11:52:09 CET 
cgit-0.12-1.2.mga5 on it's way to updates_testing
Comment 8 Shlomi Fish 2016-03-16 14:37:45 CET 
git-2.7.3-1.mga5 was submitted to 5 core/updates_testing.
Comment 9 David Walser 2016-03-16 14:44:37 CET 
Thanks Shlomi and Colin!

Advisory:
========================

Updated git and cgit packages fix security vulnerabilities:

There is a buffer overflow vulnerability possibly leading to remote code
execution in git. It can happen while pushing or cloning a repository with a
large filename or a large number of nested trees (CVE-2016-2315,
CVE-2016-2324).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324
https://bugzilla.redhat.com/show_bug.cgi?id=1317981
http://openwall.com/lists/oss-security/2016/03/15/5
========================

Updated packages in core/updates_testing:
========================
git-2.7.3-1.mga5
git-core-2.7.3-1.mga5
gitk-2.7.3-1.mga5
gitview-2.7.3-1.mga5
libgit-devel-2.7.3-1.mga5
git-svn-2.7.3-1.mga5
git-cvs-2.7.3-1.mga5
git-arch-2.7.3-1.mga5
git-email-2.7.3-1.mga5
perl-Git-2.7.3-1.mga5
git-core-oldies-2.7.3-1.mga5
gitweb-2.7.3-1.mga5
git-prompt-2.7.3-1.mga5
cgit-0.12-1.1.mga5

from SRPMS:
git-2.7.3-1.mga5.src.rpm
cgit-0.12-1.1.mga5.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

David Walser 2016-03-16 14:44:55 CET

Severity: normal => critical

Comment 10 David Walser 2016-03-16 15:02:44 CET 
Here is a good explanation of the security issues:
http://www.theregister.co.uk/2016/03/16/git_server_client_patch_now/
Comment 11 David Walser 2016-03-16 15:11:53 CET 
More fleshed out advisory.

Advisory:
========================

Updated git and cgit packages fix security vulnerabilities:

There is a buffer overflow vulnerability possibly leading to remote code
execution in git. It can happen while pushing or cloning a repository with a
large filename or a large number of nested trees (CVE-2016-2315,
CVE-2016-2324).

The git package has been updated to version 2.7.3, which fixes this issue, as
well as several other bugs.

The cgit package bundles git, and its bundled copy of git has also been
updated to version 2.7.3.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.4.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.5.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.2.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.3.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.4.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.1.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.2.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.3.txt
https://bugzilla.redhat.com/show_bug.cgi?id=1317981
http://openwall.com/lists/oss-security/2016/03/15/5
Comment 12 David Walser 2016-03-16 15:21:14 CET 
The original reporter just pointed out that even 2.7.3 didn't include the CVE-2016-2324 fix(es), so we need to update these again:
http://openwall.com/lists/oss-security/2016/03/16/9

Hopefully 2.7.4 will be rolled out soon!

Whiteboard: (none) => feedback

David Walser 2016-03-16 19:18:37 CET

URL: (none) => http://lwn.net/Vulnerabilities/680320/

Comment 13 David Walser 2016-03-18 14:31:52 CET 
git 2.7.4 is now available.  Please update git and cgit again.
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.4.txt
Comment 14 David Walser 2016-03-18 14:34:24 CET 
If anyone wants to try a reproducer, see here:
http://openwall.com/lists/oss-security/2016/03/18/1

I don't think it's necessary for testing the update, but it's there for the curious.
Comment 15 David Walser 2016-03-18 19:53:35 CET 
Updated (again) packages uploaded for Mageia 5 and Cauldron.

Thanks Shlomi for the git update.

Advisory:
========================

Updated git and cgit packages fix security vulnerabilities:

There is a buffer overflow vulnerability possibly leading to remote code
execution in git. It can happen while pushing or cloning a repository with a
large filename or a large number of nested trees (CVE-2016-2315,
CVE-2016-2324).

The git package has been updated to version 2.7.4, which fixes this issue, as
well as several other bugs.

The cgit package bundles git, and its bundled copy of git has also been
updated to version 2.7.4.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.4.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.5.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.2.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.3.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.4.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.1.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.2.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.3.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.4.txt
https://bugzilla.redhat.com/show_bug.cgi?id=1317981
http://openwall.com/lists/oss-security/2016/03/15/5
http://openwall.com/lists/oss-security/2016/03/16/9
========================

Updated packages in core/updates_testing:
========================
git-2.7.4-1.mga5
git-core-2.7.4-1.mga5
gitk-2.7.4-1.mga5
gitview-2.7.4-1.mga5
libgit-devel-2.7.4-1.mga5
git-svn-2.7.4-1.mga5
git-cvs-2.7.4-1.mga5
git-arch-2.7.4-1.mga5
git-email-2.7.4-1.mga5
perl-Git-2.7.4-1.mga5
git-core-oldies-2.7.4-1.mga5
gitweb-2.7.4-1.mga5
git-prompt-2.7.4-1.mga5
cgit-0.12-1.2.mga5

from SRPMS:
git-2.7.4-1.mga5.src.rpm
cgit-0.12-1.2.mga5.src.rpm

Whiteboard: feedback => (none)

Dave Hodgins 2016-03-21 00:07:08 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 16 Herman Viaene 2016-03-24 14:38:50 CET 
MGA5-32 on Acer D620 Xfce
No installation issues
I created a new account (didn't have one before) and put three files in hello-world and cloned this one along the lines of the procedure in bug16913. Seems to work OK.

CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK

Comment 17 claire robinson 2016-03-24 22:34:56 CET 
Validating. Advisory is current.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 18 Mageia Robot 2016-03-25 07:39:40 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0119.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED