| Summary: | git security vulnerability CVE-2017-8386 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Zombie Ryushu <zombie_ryushu> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, davidwhodgins, lewyssmith, luigiwalser, marja11, smelror, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.linuxsecurity.com/content/view/171432/170/ | ||
| Whiteboard: | advisory mga5-32-ok mga5-64-ok | ||
| Source RPM: | git | CVE: | |
| Status comment: | |||
|
Description
Zombie Ryushu
2017-05-11 08:23:17 CEST
(In reply to Zombie Ryushu from comment #0) > Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted > login shell for Git-only SSH access, allows a user to run an interactive > pager by causing it to spawn "git upload-pack --help". Is this vulnerability present in the recent 2.13.0? CC:
(none) =>
smelror (In reply to Stig-Ørjan Smelror from comment #1) > (In reply to Zombie Ryushu from comment #0) > > Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted > > login shell for Git-only SSH access, allows a user to run an interactive > > pager by causing it to spawn "git upload-pack --help". > > Is this vulnerability present in the recent 2.13.0? It got fixed https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13.0.txt Changing component to Security and assigning to the registered maintainer. (The CVE is still reserved, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386 ) CC:
(none) =>
marja11 (In reply to Marja van Waes from comment #2) > (In reply to Stig-Ørjan Smelror from comment #1) > > (In reply to Zombie Ryushu from comment #0) > > > Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted > > > login shell for Git-only SSH access, allows a user to run an interactive > > > pager by causing it to spawn "git upload-pack --help". > > > > Is this vulnerability present in the recent 2.13.0? > > It got fixed > https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13. > 0.txt > > Changing component to Security and assigning to the registered maintainer. > > > (The CVE is still reserved, > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386 ) git-2.13.0 was pushed to Cauldron. Can I upgrade it to 2.13.0 on mageia v5 as well? Version:
Cauldron =>
5 Link to the actual Debian advisory from May 10: https://www.debian.org/security/2017/dsa-3848 They backported a patch, so we may be able to use it for Mageia 5. CC:
(none) =>
luigiwalser (In reply to David Walser from comment #4) > Link to the actual Debian advisory from May 10: > https://www.debian.org/security/2017/dsa-3848 > > They backported a patch, so we may be able to use it for Mageia 5. Thanks, David! I built a new git-2.7.4-1.1mga5 package for mageia 5 core/updates_testing. Assigning to QA for testing. We also need to write an advisory. Assignee:
shlomif =>
qa-bugs Thanks Shlomi! Advisory: ======================== Updated git packages fix security vulnerability: Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted login shell for Git-only SSH access, allows a user to run an interactive pager by causing it to spawn "git upload-pack --help" (CVE-2017-8386). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386 https://www.debian.org/security/2017/dsa-3848 ======================== Updated packages in core/updates_testing: ======================== git-2.7.4-1.1.mga5 git-core-2.7.4-1.1.mga5 gitk-2.7.4-1.1.mga5 gitview-2.7.4-1.1.mga5 libgit-devel-2.7.4-1.1.mga5 git-svn-2.7.4-1.1.mga5 git-cvs-2.7.4-1.1.mga5 git-arch-2.7.4-1.1.mga5 git-email-2.7.4-1.1.mga5 perl-Git-2.7.4-1.1.mga5 git-core-oldies-2.7.4-1.1.mga5 gitweb-2.7.4-1.1.mga5 git-prompt-2.7.4-1.1.mga5 from git-2.7.4-1.1.mga5.src.rpm
Dave Hodgins
2017-05-21 03:06:26 CEST
Whiteboard:
(none) =>
advisory To satisfy dependencies, the following package(s) also need to be installed: - cvs-1.12.13-25.mga5.i586 - cvsps-2.2b1-6.mga5.i586 - git-arch-2.7.4-1.1.mga5.i586 - git-core-2.7.4-1.1.mga5.i586 - git-core-oldies-2.7.4-1.1.mga5.i586 - git-cvs-2.7.4-1.1.mga5.i586 - git-email-2.7.4-1.1.mga5.i586 - git-prompt-2.7.4-1.1.mga5.i586 - git-svn-2.7.4-1.1.mga5.i586 - gitk-2.7.4-1.1.mga5.i586 - libapr-util1_0-1.5.4-4.mga5.i586 - libapr1_0-1.5.1-3.mga5.i586 - libserf1-1.3.8-1.mga5.i586 - libsvn0-1.8.17-1.mga5.i586 - perl-Authen-SASL-2.160.0-5.mga5.noarch - perl-Digest-HMAC-1.30.0-6.mga5.noarch - perl-Digest-SHA1-2.130.0-15.mga5.i586 - perl-Error-0.170.220-4.mga5.noarch - perl-Git-2.7.4-1.1.mga5.i586 - perl-MIME-Base64-3.140.0-7.mga5.i586 - perl-SVN-1.8.17-1.mga5.i586 - perl-YAML-1.110.0-5.2.mga5.noarch - subversion-1.8.17-1.mga5.i586 - tk-8.5.15-3.mga5.i586 54MB of additional disk space will be used. This may be the easiest instructions for git you can have (forgive his language): http://rogerdudler.github.io/git-guide/ FYI do this in a VM unless you want home under git influence. $ git init configure git some $ git config --global user.name "your name" $ git config --global user.email "yourEmail@serviceyouuse.com" Now I'm listing out some files on the VM I can save in git. I'll pick one. [brian@localhost Documents (master)]$ ls git271.odt openvpn2316.odt $ git add openvpn2316.odt [brian@localhost Documents (master)]$ git commit -m "Commit message"[master (root-commit) b1dcabf] Commit message 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Documents/openvpn2316.odt Seems to be working as designed. I am a git neophyte who has used it on a small cloud project, that's about it. Developers chime in. CC:
(none) =>
brtians1 $ uname -a Linux localhost 4.4.68-desktop-1.mga5 #1 SMP Sun May 14 17:56:12 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux To satisfy dependencies, the following package(s) also need to be installed: - cvs-1.12.13-25.mga5.x86_64 - cvsps-2.2b1-6.mga5.x86_64 - git-arch-2.7.4-1.1.mga5.x86_64 - git-core-2.7.4-1.1.mga5.x86_64 - git-core-oldies-2.7.4-1.1.mga5.x86_64 - git-cvs-2.7.4-1.1.mga5.x86_64 - git-email-2.7.4-1.1.mga5.x86_64 - git-prompt-2.7.4-1.1.mga5.x86_64 - git-svn-2.7.4-1.1.mga5.x86_64 - gitk-2.7.4-1.1.mga5.x86_64 - lib64serf1-1.3.8-1.mga5.x86_64 - lib64svn0-1.8.17-1.mga5.x86_64 - perl-Authen-SASL-2.160.0-5.mga5.noarch - perl-Digest-HMAC-1.30.0-6.mga5.noarch - perl-Digest-SHA1-2.130.0-15.mga5.x86_64 - perl-Error-0.170.220-4.mga5.noarch - perl-Git-2.7.4-1.1.mga5.x86_64 - perl-MIME-Base64-3.140.0-7.mga5.x86_64 - perl-SVN-1.8.17-1.mga5.x86_64 - perl-YAML-1.110.0-5.2.mga5.noarch - subversion-1.8.17-1.mga5.x86_64 - tk-8.5.15-3.mga5.x86_64 51MB of additional disk space will be used. $ git add git27411_backup.odt $ git commit -m "gitbackup" [master (root-commit) 7acde0b] gitbackup 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Documents/git27411_backup.odt $ git checkout -b git_doc D Documents/git27411_backup.odt Switched to a new branch 'git_doc' $ git pull fatal: No remote repository specified. Please, specify either a URL or a remote name from which new revisions should be fetched. $ git checkout master D Documents/git27411_backup.odt Switched to branch 'master' $ git checkout – git27411_backup.odt ----updated doc with these changes. $ git add git27411_backup.odt $ git commit -m "gitbackup2" [master 24ff497] gitbackup2 1 file changed, 0 insertions(+), 0 deletions(-) rewrite Documents/git27411_backup.odt (77%) ------------ Working as designed Whiteboard:
advisory mga5-32-ok =>
advisory mga5-32-ok mga5-64-ok @Brian Thank you for testing this update on both architectures. Am validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0153.html Resolution:
(none) =>
FIXED |