Bug 31242

Summary: python-gitpython new security issue CVE-2022-24439
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-gitpython-3.1.17-3.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-12-07 23:33:08 CET 
A security issue in GitPython just became public:
https://github.com/gitpython-developers/GitPython/issues/1515
https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858

There is no fix available yet, but hopefully there will be soon.
David Walser 2022-12-07 23:33:15 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-12-08 21:15:48 CET 
Assigning anyway to the Python people.
Who is going to notice the fix when published?

Assignee: bugsquad => python

Comment 2 David Walser 2023-01-04 19:09:12 CET 
Fedora has issued an advisory for this today (January 4):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/

The issue is fixed upstream in 3.1.30.

Status comment: (none) => Fixed upstream in 3.1.30
Severity: normal => critical

Comment 3 papoteur 2023-01-04 19:53:15 CET 
Updated in cauldron

Version: Cauldron => 8
CC: (none) => yves.brungard_mageia
Whiteboard: MGA8TOO => (none)

Comment 4 papoteur 2023-01-04 20:08:40 CET 
Now in Mageia 8 testing:
python3-gitpython-3.1.30-1.mga8

Source:
python-gitpython-3.1.30-1.mga8

Status comment: Fixed upstream in 3.1.30 => (none)
Assignee: python => qa-bugs

Comment 5 Herman Viaene 2023-01-06 17:09:35 CET 
MGA8-644 MATE on Acer Aspire 5253
No installation issues.
Following procedure from bug 18540 Comment 5, first installed git and its dependencies, then
$ git clone https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Cloning into 'linux'...
remote: Enumerating objects: 539, done.
remote: Counting objects: 100% (539/539), done.
remote: Compressing objects: 100% (307/307), done.
remote: Total 9229031 (delta 342), reused 314 (delta 232), pack-reused 9228492
Receiving objects: 100% (9229031/9229031), 2.54 GiB | 4.41 MiB/s, done.
Resolving deltas: 100% (7565206/7565206), done.
Checking objects: 100% (33554432/33554432), done.
Updating files: 100% (79495/79495), done.

$ python3
Python 3.8.14 (default, Oct  4 2022, 06:27:18) 
[GCC 10.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from git import repo
>>> rp = repo.Repo('~/linux/')
>>> cm = rp.commit("ad3e2751e7")
>>> cm.stats.files.keys()
dict_keys(['drivers/ntb/ntb_hw.c'])
>>> exit()

That is exactly the same, so OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2023-01-07 13:58:49 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-01-11 04:23:53 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2023-01-13 18:38:31 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0001.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED