Bug 30277

Summary: git new security issue CVE-2022-24765
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: git-2.30.2-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-04-12 22:40:53 CEST 
Upstream has announced a security issue fixed in git today (April 12):
https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/

The issue is fixed upstream in 2.30.3 and 2.35.2.

Mageia 8 is also affected.

Updated packages uploaded for Mageia 8 and Cauldron.

Advisory:
========================

Updated git packages fix security vulnerability:

On multi-user machines, Git users might find themselves unexpectedly in a Git
worktree, e.g. when another user created a repository in /tmp, in a mounted
network drive or in a scratch space. Merely having a Git-aware prompt that
runs 'git status' (or 'git diff') and navigating to a directory which is
supposedly not a Git worktree, or opening such a directory in an editor or IDE
such as VS Code or Atom, will potentially run commands defined by that other
user (CVE-2022-24765).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765
https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/
========================

Updated packages in core/updates_testing:
========================
git-2.30.3-1.mga8
git-core-oldies-2.30.3-1.mga8
git-prompt-2.30.3-1.mga8
git-arch-2.30.3-1.mga8
perl-Git-2.30.3-1.mga8
git-email-2.30.3-1.mga8
git-svn-2.30.3-1.mga8
perl-Git-SVN-2.30.3-1.mga8
git-cvs-2.30.3-1.mga8
gitweb-2.30.3-1.mga8
gitk-2.30.3-1.mga8
git-subtree-2.30.3-1.mga8
libgit-devel-2.30.3-1.mga8
git-core-2.30.3-1.mga8

from git-2.30.3-1.mga8.src.rpm
Comment 1 David Walser 2022-04-12 22:53:02 CEST 
Ubuntu has issued an advisory for this today (April 12):
https://ubuntu.com/security/notices/USN-5376-1
Comment 2 Herman Viaene 2022-04-13 11:34:40 CEST 
MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues.
Ref bug 26516 Comment 1 for testing.
$ git init
hint: a few of those
Initialized empty Git repository in /home/tester8/.git/
[tester8@mach5 ~ (master)]$ git config --global user.name "tester8"
[tester8@mach5 ~ (master)]$ git config --global user.email "herman.viaene@hotmail.be"
[tester8@mach5 ~ (master)]$ git add ~/Documenten/fribidi.txt 

[tester8@mach5 ~ (master)]$ git branch
[tester8@mach5 ~ (master)]$ git show
fatal: your current branch 'master' does not have any commits yet
[tester8@mach5 ~ (master)]$ git commit
Aborting commit due to empty commit message.
this seems different from previous versions, but seems logical.
[tester8@mach5 ~ (master)]$ git commit -m"message"
[master (root-commit) c56ff46] message
 1 file changed, 147490 insertions(+)
 create mode 100644 Documenten/fribidi.txt
[tester8@mach5 ~ (master)]$ git show
commit c56ff46718d7d2bc7f772e190a7aff1648871e12 (HEAD -> master)
Author: tester8 <herman.viaene@hotmail.be>
Date:   Wed Apr 13 11:11:30 2022 +0200

    message

diff --git a/Documenten/fribidi.txt b/Documenten/fribidi.txt
new file mode 100644
index 0000000..29a0692
--- /dev/null
+++ b/Documenten/fribidi.txt
and then the contents of the file.

This all seems inline with the older test, but whether this is sufficient, I don't know since I'm absolutely not familiar with git.

CC: (none) => herman.viaene

Comment 3 PC LX 2022-04-14 12:12:38 CEST 
Installed and tested without issues.

Tested with existing, cloned and new repositories. Integration with QtCreate, Netbeans and KDevelop IDE were tested. Bunch of CLI commands were tested.

No issues found.


System: Mageia 8, x86_64, Intel CPU.


$ uname -a
Linux marte 5.15.32-desktop-1.mga8 #1 SMP Mon Mar 28 08:31:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep -i git.*2\.30 | sort
git-2.30.3-1.mga8
git-core-2.30.3-1.mga8
git-email-2.30.3-1.mga8
gitk-2.30.3-1.mga8
git-subtree-2.30.3-1.mga8
perl-Git-2.30.3-1.mga8

CC: (none) => mageia

Comment 4 Thomas Andrews 2022-04-14 14:34:34 CEST 
Sounds like enough to me. Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Comment 5 David Walser 2022-04-15 20:23:59 CEST 
An improvement was made to the fix for this issue:
https://lore.kernel.org/git/xmqq1qy04iqa.fsf@gitster.g/T/#u

Update to 2.30.4 building...please test again.

git-2.30.4-1.mga8
git-core-oldies-2.30.4-1.mga8
git-prompt-2.30.4-1.mga8
git-arch-2.30.4-1.mga8
perl-Git-2.30.4-1.mga8
git-email-2.30.4-1.mga8
git-svn-2.30.4-1.mga8
perl-Git-SVN-2.30.4-1.mga8
git-cvs-2.30.4-1.mga8
gitweb-2.30.4-1.mga8
gitk-2.30.4-1.mga8
git-subtree-2.30.4-1.mga8
libgit-devel-2.30.4-1.mga8
git-core-2.30.4-1.mga8

from git-2.30.4-1.mga8.src.rpm

Keywords: validated_update => (none)
Whiteboard: MGA8-64-OK => (none)

Comment 6 Dave Hodgins 2022-04-20 03:35:25 CEST 
Update installs cleanly.
[dave@x3 copyiso2usb (master)]$ git pull --rebase
Already up to date.

Validating the update. Advisory committed to svn.

CC: (none) => davidwhodgins
Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA8-64-OK

Comment 7 Mageia Robot 2022-04-22 19:08:26 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0147.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED