Bug 23096

Summary: git new security issue CVE-2018-11235
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: git-2.13.6-1.1.mga6.src.rpm CVE:
Status comment: Fixed upstream in 2.13.7

Description David Walser 2018-05-29 21:59:08 CEST 
New versions of git have been announced today:
http://lkml.iu.edu/hypermail/linux/kernel/1805.3/05909.html

Version 2.13.7 fixes two security issues.
David Walser 2018-05-29 21:59:23 CEST

Status comment: (none) => Fixed upstream in 2.13.7

Comment 1 Marja Van Waes 2018-05-30 07:08:27 CEST 
Assigning to our registered git maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2018-05-30 13:19:00 CEST 
(In reply to Marja Van Waes from comment #1)
> Assigning to our registered git maintainer.

thanks! I submitted git-2.13.7-1.mga6 to updates_testing.

Status: NEW => ASSIGNED
Assignee: shlomif => qa-bugs

Comment 3 David Walser 2018-05-30 17:53:02 CEST 
Advisory:
========================

Updated git packages fix security vulnerabilities:

It was possible to trick the code that sanity-checks paths on NTFS into reading
random piece of memory (CVE-2018-11233).

Submodule "names" come from the untrusted .gitmodules file, but we blindly
append them to $GIT_DIR/modules to create our on-disk repo paths. This means you
can do bad things by putting "../" into the name. We now enforce some rules for
submodule names which will cause Git to ignore these malicious names
(CVE-2018-11235).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235
http://lkml.iu.edu/hypermail/linux/kernel/1805.3/05909.html
========================

Updated packages in core/updates_testing:
========================
git-2.13.7-1.mga6
git-core-2.13.7-1.mga6
gitk-2.13.7-1.mga6
libgit-devel-2.13.7-1.mga6
git-svn-2.13.7-1.mga6
git-cvs-2.13.7-1.mga6
git-arch-2.13.7-1.mga6
git-email-2.13.7-1.mga6
perl-Git-2.13.7-1.mga6
perl-Git-SVN-2.13.7-1.mga6
git-core-oldies-2.13.7-1.mga6
gitweb-2.13.7-1.mga6
git-prompt-2.13.7-1.mga6

from git-2.13.7-1.mga6.src.rpm
Comment 4 PC LX 2018-06-01 11:51:40 CEST 
Installed and tested without issues.

Tests included the usual operations (e.g. commit, diff, status, log, clone, push, pull) in local and remote repositories (e.g. ssh, https).

$ uname -a
Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep '^git|^lib(64)?git' | sort                                                                                                                                    
git-2.13.7-1.mga6
git-arch-2.13.7-1.mga6
git-core-2.13.7-1.mga6
git-core-oldies-2.13.7-1.mga6
git-cvs-2.13.7-1.mga6
git-email-2.13.7-1.mga6
gitk-2.13.7-1.mga6
git-prompt-2.13.7-1.mga6
git-svn-2.13.7-1.mga6
lib64git2_25-0.25.0-1.mga6

CC: (none) => mageia

PC LX 2018-06-01 11:51:54 CEST

Whiteboard: (none) => MGA6-64-OK

Thomas Backlund 2018-06-03 12:22:57 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 5 Mageia Robot 2018-06-03 13:03:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0267.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED