Bug 30497

Summary: ruby-git new security issue CVE-2022-25648
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, pterjan, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ruby-git-1.6.0-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-05-31 23:05:56 CEST 
Fedora has issued an advisory on May 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q2V3HOFU4ZVTQZHAVAVL3EX2KU53SP7R/

The issue is fixed upstream in 1.11.0.
Comment 1 Pascal Terjan 2022-07-01 18:31:07 CEST 
There are a lot of changes between our version and 1.11.0, I'll add the fix only 

https://github.com/ruby-git/ruby-git/pull/569/commits/e36039105c86f1b0512d707054f615812919
Comment 2 Pascal Terjan 2022-07-01 18:48:24 CEST 
ruby-git-1.6.0-1.1.mga8 currently building

Before:

$ rm -rf /tmp/VULNERABLE /tmp/project; ruby -rgit -e 'g = Git.init("/tmp/project"); g.fetch("--upload-pack=touch /tmp/VULNERABLE;", { ref: "some/ref/head" });' >/dev/null 2>&1; ls /tmp/VULNERABLE/tmp/VULNERABLE


After:

$ rm -rf /tmp/VULNERABLE /tmp/project; ruby -rgit -e 'g = Git.init("/tmp/project"); g.fetch("--upload-pack=touch /tmp/VULNERABLE;", { ref: "some/ref/head" });' >/dev/null 2>&1; ls /tmp/VULNERABLE
ls: cannot access '/tmp/VULNERABLE': No such file or directory
Comment 3 David Walser 2022-07-01 21:14:56 CEST 
ruby-git-1.6.0-1.1.mga8
ruby-git-doc-1.6.0-1.1.mga8

from ruby-git-1.6.0-1.1.mga8.src.rpm

Assignee: pterjan => qa-bugs
CC: (none) => pterjan
Keywords: (none) => has_procedure

Comment 4 Len Lawrence 2022-07-02 09:22:32 CEST 
Installed ruby-git.

Before update:
$ mkdir /tmp/VULNERABLE /tmp/project
$ rm -rf /tmp/VULNERABLE /tmp/project; ruby -rgit -e 'g = Git.init("/tmp/project"); g.fetch("--upload-pack=touch /tmp/VULNERABLE;", { ref: "some/ref/head" });' >/dev/null 2>&1; ls /tmp/VULNERABLE
/tmp/VULNERABLE

After update:
$ rm -rf /tmp/VULNERABLE /tmp/project; ruby -rgit -e 'g = Git.init("/tmp/project"); g.fetch("--upload-pack=touch /tmp/VULNERABLE;", { ref: "some/ref/head" });' >/dev/null 2>&1; ls /tmp/VULNERABLE
ls: cannot access '/tmp/VULNERABLE': No such file or directory

$ ri git
shows general usage for the initiated.
Examples at https://github.com/ruby-git/ruby-git

Did not get very far with those - completely unfamiliar territory.
$ irb
irb(main):001:0> require 'git'
/usr/share/gems/gems/git-1.6.0/lib/git/lib.rb:1056: warning: Using the last argument as keyword parameters is deprecated
=> true
irb(main):002:0> g = Git.open( '/tmp/project' )
=> #<Git::Base:0x000000000160d5a0 @logger=nil, @working_directory=#<Git::Wo...
irb(main):003:0> g.index
=> #<Git::Index:0x00000000011e5f40 @path="/tmp/project/.git/index">
irb(main):004:0> g.index.readable?
=> false
irb(main):005:0> g.index.writable?
=> false
irb(main):006:0> g.repo
=> #<Git::Repository:0x00000000011e6030 @path="/tmp/project/.git">
irb(main):007:0> g.dir
=> #<Git::WorkingDirectory:0x00000000011e6170 @path="/tmp/project">
irb(main):008:0> exit

Have to leave it there and give it an OK on the basis of the successful PoC and the fact that it is possible to initiate a local Git project.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2022-07-03 04:47:48 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-07-04 23:36:19 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-07-05 21:12:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0248.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED