Bug 21503

Summary: git new security issue CVE-2017-1000117
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: lewyssmith, mageia, nathan95, sysadmin-bugs
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO advisory MGA6-64-OK MGA5-64-OK
Source RPM: git-2.13.3-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-08-12 00:28:06 CEST 
A security issue fixed upstream in git has hit the press:
http://www.esecurityplanet.com/threats/git-svn-and-mercurial-open-source-version-control-systems-update-for-critical-security-vulnerability.html

The issue is fixed in 2.13.5 and 2.14.1 (already in Cauldron).

Mageia 5 is probably also affected.
Comment 1 David Walser 2017-08-12 03:01:38 CEST 
Debian has issued an advisory for this on August 10:
https://www.debian.org/security/2017/dsa-3934

Updated packages uploaded for Mageia 5 and Mageia 6.

Advisory:
========================

Updated git packages fix security vulnerability:

Joern Schneeweisz discovered that git, a distributed revision control system,
did not correctly handle maliciously constructed ssh:// URLs. This allowed an
attacker to run an arbitrary shell command, for instance via git submodules
(CVE-2017-1000117).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.5.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.6.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13.4.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13.5.txt
https://www.debian.org/security/2017/dsa-3934
========================

Updated packages in core/updates_testing:
========================
git-2.7.6-1.mga5
git-core-2.7.6-1.mga5
gitk-2.7.6-1.mga5
gitview-2.7.6-1.mga5
libgit-devel-2.7.6-1.mga5
git-svn-2.7.6-1.mga5
git-cvs-2.7.6-1.mga5
git-arch-2.7.6-1.mga5
git-email-2.7.6-1.mga5
perl-Git-2.7.6-1.mga5
git-core-oldies-2.7.6-1.mga5
gitweb-2.7.6-1.mga5
git-prompt-2.7.6-1.mga5
git-2.13.5-1.mga6
git-core-2.13.5-1.mga6
gitk-2.13.5-1.mga6
libgit-devel-2.13.5-1.mga6
git-svn-2.13.5-1.mga6
git-cvs-2.13.5-1.mga6
git-arch-2.13.5-1.mga6
git-email-2.13.5-1.mga6
perl-Git-2.13.5-1.mga6
perl-Git-SVN-2.13.5-1.mga6
git-core-oldies-2.13.5-1.mga6
gitweb-2.13.5-1.mga6
git-prompt-2.13.5-1.mga6

from SRPMS:
git-2.7.6-1.mga5.src.rpm
git-2.13.5-1.mga6.src.rpm

Whiteboard: (none) => MGA5TOO
Assignee: tmb => qa-bugs

Lewis Smith 2017-08-13 10:18:38 CEST

Whiteboard: MGA5TOO => MGA5TOO advisory

nathan giovannini 2017-08-13 14:12:34 CEST

CC: (none) => nathan95
Whiteboard: MGA5TOO advisory => MGA5TOO advisory MGA6-64-OK

Comment 2 PC LX 2017-08-13 19:00:08 CEST 
Installed and tested without issues. Tested on local and remove repositories, including github repositories.

$ uname -a
Linux marte 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep -i '^git|libgit|perl-git' | sort
git-2.7.6-1.mga5
git-arch-2.7.6-1.mga5
git-core-2.7.6-1.mga5
git-core-oldies-2.7.6-1.mga5
git-cvs-2.7.6-1.mga5
git-email-2.7.6-1.mga5
gitk-2.7.6-1.mga5
git-prompt-2.7.6-1.mga5
git-svn-2.7.6-1.mga5
perl-Git-2.7.6-1.mga5

Whiteboard: MGA5TOO advisory MGA6-64-OK => MGA5TOO advisory MGA6-64-OK MGA5-64-OK
CC: (none) => mageia

Comment 3 Lewis Smith 2017-08-13 20:42:52 CEST 
Validating under our temporary short-cut policy: 1 OK per release OK here.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 4 Mageia Robot 2017-08-14 00:20:20 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0266.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED