| Summary: | git new security issues CVE-2019-134[89], CVE-2019-1387, CVE-2019-19604 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | git-2.21.0-2.mga7.src.rpm | CVE: | CVE-2019-1348, CVE-2019-1349, CVE-2019-1387, CVE-2019-19604 |
| Status comment: | |||
|
Description
David Walser
2019-12-13 12:06:42 CET
Stig has just updated Cauldron to version 2.24.1. May I assign this to you? [Complain privately if not, I am not CC'd] Assignee:
bugsquad =>
smelror Nicolas is working on it. Assignee:
smelror =>
nicolas.salguero Suggested advisory: ======================== The updated packages fix security vulnerabilities: The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. (CVE-2019-1348) When submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice. We now require the directory to be empty. (CVE-2019-1349) Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. (CVE-2019-1387) Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. (CVE-2019-19604) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19604 https://www.openwall.com/lists/oss-security/2019/12/13/1 ======================== Updated packages in core/updates_testing: ======================== git-2.21.1-1.mga7 git-core-2.21.1-1.mga7 gitk-2.21.1-1.mga7 lib(64)git-devel-2.21.1-1.mga7 git-subtree-2.21.1-1.mga7 git-svn-2.21.1-1.mga7 git-cvs-2.21.1-1.mga7 git-arch-2.21.1-1.mga7 git-email-2.21.1-1.mga7 perl-Git-2.21.1-1.mga7 perl-Git-SVN-2.21.1-1.mga7 git-core-oldies-2.21.1-1.mga7 gitweb-2.21.1-1.mga7 git-prompt-2.21.1-1.mga7 from SRPMS: git-2.21.1-1.mga7.src.rpm Assignee:
nicolas.salguero =>
qa-bugs
Thomas Backlund
2019-12-14 01:51:40 CET
Keywords:
(none) =>
advisory Debian and Ubuntu have issued advisories for this on December 10: https://www.debian.org/security/2019/dsa-4581 https://usn.ubuntu.com/4220-1/ Severity:
normal =>
major Installed and tested without issues. Tested using existing, cloned and newly created repositories. Most operations were tested. No issues found. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.4.2-desktop-1.mga7 #1 SMP Thu Dec 5 17:40:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -i git.*2\.21\.1 | sort git-2.21.1-1.mga7 git-core-2.21.1-1.mga7 git-email-2.21.1-1.mga7 gitk-2.21.1-1.mga7 git-subtree-2.21.1-1.mga7 perl-Git-2.21.1-1.mga7 CC:
(none) =>
mageia Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0393.html Status:
ASSIGNED =>
RESOLVED |