Bug 23642

Summary: git new security issue CVE-2018-17456
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: luigiwalser, mageia, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: git-2.13.7-1.mga6.src.rpm CVE:
Status comment:

Description Thomas Backlund 2018-10-06 11:14:02 CEST 
Advisory:
joernchen of Phenoelit discovered that git is prone to an arbitrary code
execution vulnerability due to insufficient validation of submodule url
and path via a specially crafted .gitmodules file in a project cloned
with --recurse-submodules (CVE-2018-17456).


SRPM:
git-2.13.7-1.2.mga6.src.rpm


i586:
git-2.13.7-1.2.mga6.i586.rpm
git-arch-2.13.7-1.2.mga6.i586.rpm
git-core-2.13.7-1.2.mga6.i586.rpm
git-core-oldies-2.13.7-1.2.mga6.i586.rpm
git-cvs-2.13.7-1.2.mga6.i586.rpm
git-email-2.13.7-1.2.mga6.i586.rpm
gitk-2.13.7-1.2.mga6.i586.rpm
git-prompt-2.13.7-1.2.mga6.i586.rpm
git-svn-2.13.7-1.2.mga6.i586.rpm
gitweb-2.13.7-1.2.mga6.i586.rpm
libgit-devel-2.13.7-1.2.mga6.i586.rpm
perl-Git-2.13.7-1.2.mga6.i586.rpm
perl-Git-SVN-2.13.7-1.2.mga6.i586.rpm


x86_64:
git-2.13.7-1.2.mga6.x86_64.rpm
git-arch-2.13.7-1.2.mga6.x86_64.rpm
git-core-2.13.7-1.2.mga6.x86_64.rpm
git-core-oldies-2.13.7-1.2.mga6.x86_64.rpm
git-cvs-2.13.7-1.2.mga6.x86_64.rpm
git-email-2.13.7-1.2.mga6.x86_64.rpm
gitk-2.13.7-1.2.mga6.x86_64.rpm
git-prompt-2.13.7-1.2.mga6.x86_64.rpm
git-svn-2.13.7-1.2.mga6.x86_64.rpm
gitweb-2.13.7-1.2.mga6.x86_64.rpm
lib64git-devel-2.13.7-1.2.mga6.x86_64.rpm
perl-Git-2.13.7-1.2.mga6.x86_64.rpm
perl-Git-SVN-2.13.7-1.2.mga6.x86_64.rpm
David Walser 2018-10-06 15:35:39 CEST

Summary: Update request: git-2.13.7-1.2.mga6 => git new security issue CVE-2018-17456
Source RPM: git => git-2.13.7-1.mga6.src.rpm

Comment 1 Len Lawrence 2018-10-07 13:04:05 CEST 
Mageia 6, x86_64

Before updating:
Checked for the presence of the packages listed.  Installed gitweb.
Consulted man pages for git and gittutorial and introduced myself to github.

$ git config --global user.name <user>
$ git config --global user.email <email>

Updated all the packages listed.
$ git --version
git version 2.13.7

Repeated the user introduction.  No objections raised.
$ git init
Initialized empty Git repository in /home/lcl/ruby/qa/.git/

That just happened to be where the terminal was sitting.  I have a large number of local utilities and projects but nothing in a form suitable for creating a project tarball (presumably there are standards to be observed) so cannot take this any further.  The man pages or --help do not say how to interrogate github or list existing projects.

Leaving this for others to test more fully.

CC: (none) => tarazed25

Comment 2 PC LX 2018-10-08 12:14:27 CEST 
Installed and tested without issues.

Tests included local and remote repositories and the common operation (e.g. clone, commit, push, pull, diff, add, status, init).

System: Mageia 6, x86_64, Intel CPU.

The updated packages:
- git-2.13.7-1.2.mga6.x86_64
- git-arch-2.13.7-1.2.mga6.x86_64
- git-core-2.13.7-1.2.mga6.x86_64
- git-core-oldies-2.13.7-1.2.mga6.x86_64
- git-cvs-2.13.7-1.2.mga6.x86_64
- git-email-2.13.7-1.2.mga6.x86_64
- git-prompt-2.13.7-1.2.mga6.x86_64
- git-svn-2.13.7-1.2.mga6.x86_64
- gitk-2.13.7-1.2.mga6.x86_64
- perl-Git-2.13.7-1.2.mga6.x86_64
- perl-Git-SVN-2.13.7-1.2.mga6.x86_64

$ uname -a
Linux marte 4.14.70-desktop-2.mga6 #1 SMP Thu Sep 20 22:05:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep -i 'git.*2.13.7' | sort
git-2.13.7-1.2.mga6
git-arch-2.13.7-1.2.mga6
git-core-2.13.7-1.2.mga6
git-core-oldies-2.13.7-1.2.mga6
git-cvs-2.13.7-1.2.mga6
git-email-2.13.7-1.2.mga6
gitk-2.13.7-1.2.mga6
git-prompt-2.13.7-1.2.mga6
git-svn-2.13.7-1.2.mga6
perl-Git-2.13.7-1.2.mga6
perl-Git-SVN-2.13.7-1.2.mga6

CC: (none) => mageia
Whiteboard: (none) => MGA6-64-OK

Comment 3 Len Lawrence 2018-10-08 18:59:13 CEST 
This can be validated on the basis of the tests by PC_LX.  Thanks.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 David Walser 2018-10-10 00:26:16 CEST 
Debian has issued an advisory for this on October 5:
https://www.debian.org/security/2018/dsa-4311

CC: (none) => luigiwalser

Thomas Backlund 2018-10-14 01:49:05 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-10-14 02:59:42 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0395.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED