| Summary: | git new security issues CVE-2022-39253 and CVE-2022-39260 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, smelror, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | git-2.30.4-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 30633 | ||
|
Description
David Walser
2022-10-19 16:20:33 CEST
David Walser
2022-10-19 16:20:49 CEST
Status comment:
(none) =>
Fixed upstream in 2.30.6 Ubuntu has issued an advisory for this on October 18: https://ubuntu.com/security/notices/USN-5686-1 Assigning to Stig who has done a lot of version updates for this thing. Note this is a rare security update just for Mageia 8. I see in Cauldron updates to 2.30.0/1/2, then it jumps to 2.31 et seq. Assignee:
bugsquad =>
smelror Advisory ======== Git has been updated to fix 2 security issues. CVE-2022-39253: A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. CVE-2022-39260: Allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. References ========== https://cve.circl.lu/cve/CVE-2022-39253 https://cve.circl.lu/cve/CVE-2022-39260 https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.30.6.txt Files ===== Uploaded to core/updates_testing git-core-oldies-2.30.6-1.mga8 git-2.30.6-1.mga8 perl-Git-2.30.6-1.mga8 git-prompt-2.30.6-1.mga8 git-arch-2.30.6-1.mga8 git-email-2.30.6-1.mga8 git-svn-2.30.6-1.mga8 perl-Git-SVN-2.30.6-1.mga8 git-cvs-2.30.6-1.mga8 gitweb-2.30.6-1.mga8 gitk-2.30.6-1.mga8 git-subtree-2.30.6-1.mga8 lib64git-devel-2.30.6-1.mga8 git-core-2.30.6-1.mga8 from git-2.30.6-1.mga8.src.rpm Assignee:
smelror =>
qa-bugs Thanks Stig-Ørjan. Would you mind taking care of libgit2 as well (see Bug 30633). Status comment:
Fixed upstream in 2.30.6 =>
(none) Speaking of which, CVE-2022-29187 needs to be added to the advisory, as this update will fix that too. MGA8-64 MATE on Acer Aspire 5253 No installation issues Ref bug 30277 Comment 2 for testing $ git init hint: Using 'master' as the name for the initial branch. This default branch and more hints ..... Initialized empty Git repository in /home/tester8/.git/ $ git config --global user.name "tester8" $ git config --global user.email "herman.viaene@hotmail.be" [tester8@mach7 ~]$ git add ~/Documents/exo.txt [tester8@mach7 ~]$ git branch [tester8@mach7 ~]$ git show fatal: your current branch 'master' does not have any commits yet [tester8@mach7 ~]$ git commit [master (root-commit) f053db1] test git 2.30.6 commit 1 file changed, 1293 insertions(+) create mode 100644 Documents/exo.txt This is different from previous version where I had to issue a specific command for the message, now it is one go. [tester8@mach7 ~]$ git show commit f053db162a3b560f1252420597ec3b332a3e2b82 (HEAD -> master) Author: tester8 <herman.viaene@hotmail.be> Date: Mon Oct 24 17:01:47 2022 +0200 test git 2.30.6 commit diff --git a/Documents/exo.txt b/Documents/exo.txt new file mode 100644 index 0000000..3902b92 --- /dev/null +++ b/Documents/exo.txt @@ -0,0 +1,1293 @@ +execve("/usr/bin/thunar", ["thunar"], 0x7ffc418dda20 /* 68 vars */) = 0 +brk(NULL) = 0xf1e000 and the further contents of the file.... This is all in line with previous updates, so OK for me. CC:
(none) =>
herman.viaene Validating. Advisory in Comment 3, with an addition in Comment 5. Keywords:
(none) =>
validated_update
Dave Hodgins
2022-10-28 03:57:45 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0396.html Status:
NEW =>
RESOLVED |