Bug 30633

Summary: libgit2 new security issues CVE-2023-22742 and CVE-2024-24577
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, herman.viaene, marja11, nicolas.salguero, pkg-bugs, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: libgit2-1.1.0-1.mga8.src.rpm CVE: CVE-2023-22742, CVE-2024-24577
Status comment:
Bug Depends on: 30985    
Bug Blocks:    

Description David Walser 2022-07-14 19:04:22 CEST 
Upstream has issued an advisory on July 12:
https://lore.kernel.org/git/xmqqv8s2fefi.fsf@gitster.g/

The issue is fixed upstream in 2.30.5.
Comment 1 David Walser 2022-07-14 19:05:40 CEST 
Ubuntu has issued an advisory for this on July 13:
https://ubuntu.com/security/notices/USN-5511-1
Comment 2 David Walser 2022-07-14 19:33:50 CEST 
Fedora has issued an advisory today (July 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GPMAKEXKQSXAMPSW4AZSOG6QKNYUL4FD/

It references a fix for git issue CVE-2022-24765 upstream in 1.3.1:
https://github.com/libgit2/libgit2/releases/tag/v1.3.1

And as with git itself, there were further fixes for that issue that constituted this CVE-2022-29187, which is fixed in libgit 1.3.2:
https://github.com/libgit2/libgit2/releases/tag/v1.3.2

Summary: git new security issue CVE-2022-29187 => git/libgit2 new security issue CVE-2022-29187
Status comment: (none) => Fixed upstream in git 2.30.5 and libgit2 1.3.2
Source RPM: git-2.30.4-1.mga8.src.rpm => git-2.30.4-1.mga8.src.rpm, libgit2-1.1.0-1.mga8.src.rpm

Comment 3 Marja Van Waes 2022-07-16 11:40:22 CEST 
Assigning to our registered maintainer for libgit2
CC'ing all packagers collectively for git

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => thierry.vignaud

Comment 4 David Walser 2022-07-22 17:10:03 CEST 
Fedora has issued an advisory for git on July 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/
Comment 5 David Walser 2022-09-16 19:09:10 CEST 
openSUSE has issued an advisory for libgit2 on September 15:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O5GNJU7AMN2F6LPU35TXF6SJ5JFFLZUU/
David Walser 2022-10-19 16:20:49 CEST

Depends on: (none) => 30985

Comment 6 Bruno Cornec 2022-12-23 11:20:46 CET 
Seems  30985 is fixed and git 2.30.6 is now available for mga8

I could work on updating libgit2 if Thierry is Ok.

CC: (none) => bruno

Comment 7 David Walser 2023-01-27 16:29:33 CET 
Fedora has issued an advisory for libgit2 today (January 27):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/
Comment 8 David Walser 2023-02-24 20:13:07 CET 
Updated git packages have been pushed fixing CVE-2022-29187.

Debian-LTS has issued an advisory on February 23:
https://www.debian.org/lts/security/2023/dla-3340

It fixes a new issue in libgit2 that is fixed upstream in 1.4.5:
https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq

Mageia 8 is also affected.

Version: 8 => Cauldron
Status comment: Fixed upstream in git 2.30.5 and libgit2 1.3.2 => Fixed upstream in 1.4.5
Source RPM: git-2.30.4-1.mga8.src.rpm, libgit2-1.1.0-1.mga8.src.rpm => libgit2-1.1.0-1.mga8.src.rpm
Whiteboard: (none) => MGA8TOO
Summary: git/libgit2 new security issue CVE-2022-29187 => libgit2 new security issues CVE-2022-29187 and CVE-2023-22742

Comment 9 David Walser 2023-03-28 16:43:51 CEST 
SUSE has issued an advisory for CVE-2023-22742 on March 24:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014158.html
Comment 10 Nicolas Salguero 2024-03-13 13:32:18 CET 
Mageia 8 EOL.

Debian-LTS has issued an advisory for CVE-2024-24577 on February 27:
https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html

Status comment: Fixed upstream in 1.4.5 => (none)
CVE: (none) => CVE-2023-22742, CVE-2024-24577
Summary: libgit2 new security issues CVE-2022-29187 and CVE-2023-22742 => libgit2 new security issues CVE-2023-22742 and CVE-2024-24577
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => MGA9TOO

Comment 11 Nicolas Salguero 2024-03-13 13:37:47 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. (CVE-2023-22742)

Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. (CVE-2024-24577)

References:
https://www.debian.org/lts/security/2023/dla-3340
https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014158.html
https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html
========================

Updated packages in core/updates_testing:
========================
lib(64)git2_1.3-1.3.2-1.1.mga9
lib(64)git2-devel-1.3.2-1.1.mga9

from SRPM:
libgit2-1.3.2-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Assignee: thierry.vignaud => qa-bugs

katnatek 2024-03-13 21:34:34 CET

Keywords: (none) => advisory

Comment 12 Herman Viaene 2024-03-14 11:57:43 CET 
MGA9-64  Plasma Wayland on HP-Pavillion.
No installation issues.
Ref bug 26464, installed basket and added new basket with text file and som screenshot. All works OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 13 Herman Viaene 2024-03-14 12:00:22 CET 
Forgot to mention: I get a lot of warnings on Wayland at the CLI, but that doesn't stop basket working OK.
Comment 14 Thomas Andrews 2024-03-14 14:03:39 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 15 Mageia Robot 2024-03-14 18:27:08 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0059.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED