| Summary: | ruby-git new security issues CVE-2022-46648, CVE-2022-47318 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, marja11, nicolas.salguero, pterjan, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | ruby-git-1.6.0-1.1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2023-02-01 17:54:51 CET
David Walser
2023-02-01 17:55:04 CET
Status comment:
(none) =>
Fixed upstream in 1.13.0 Fedora has issued an advisory for this on January 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4KPFLSZPUM7APWVBRM5DCAY5OUVQBF4K/ Severity:
normal =>
major Assigning to all packagers collectively, because there is no registered maintainer for this packages. CC'ing pterjan, who was the last one to push it. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix security vulnerabilities: ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. (CVE-2022-46648, CVE-2022-47318) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46648 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47318 https://www.debian.org/lts/security/2023/dla-3303 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4KPFLSZPUM7APWVBRM5DCAY5OUVQBF4K/ ======================== Updated packages in core/updates_testing: ======================== ruby-git-1.6.0-1.2.mga8 ruby-git-doc-1.6.0-1.2.mga8 from SRPM: ruby-git-1.6.0-1.2.mga8.src.rpm Status comment:
Fixed upstream in 1.13.0 =>
(none) mageia8, x86_64
Ruby git was already installed.
Had a look at the CVEs but could not figure out how to reproduce the vulnerability and lacking any familiarity with GitHub or git had to make do with a single call to Gif.init to create a local repository in an empty directory.
$ ruby -W0 -rgit -e "Git.init"
That worked. Emptied the directory afterwards and updated the packages.
Running the same command produced the same result.
It created a new folder .git in the current directory with contents:
.git
├── branches
├── config
├── description
├── HEAD
├── hooks
│ ├── applypatch-msg.sample
│ ├── commit-msg.sample
│ ├── fsmonitor-watchman.sample
│ ├── post-update.sample
│ ├── pre-applypatch.sample
│ ├── pre-commit.sample
│ ├── pre-merge-commit.sample
│ ├── prepare-commit-msg.sample
│ ├── pre-push.sample
│ ├── pre-rebase.sample
│ ├── pre-receive.sample
│ ├── push-to-checkout.sample
│ └── update.sample
├── info
│ └── exclude
├── objects
│ ├── info
│ └── pack
└── refs
├── heads
└── tags
9 directories, 17 files
Giving this an OK for 64-bits but feel free to extend the test if you have some knowledge of git.Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in comment 3. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2023-03-16 04:36:20 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0097.html Resolution:
(none) =>
FIXED |