Bug 14849 - git new security issue CVE-2014-9390
Summary: git new security issue CVE-2014-9390
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/627591/
Whiteboard: has_procedure MGA4-32-OK mga4-64-ok a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-19 01:44 CET by David Walser
Modified: 2014-12-24 18:48 CET (History)
4 users (show)

See Also:
Source RPM: git-1.8.4.5-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-19 01:44:15 CET
Upstream has issued an advisory today (December 18):
http://article.gmane.org/gmane.linux.kernel/1853266

Github has some info on this too:
https://github.com/blog/1938-vulnerability-announced-update-your-git-clients

The issue is fixed upstream in 1.8.5.6 and 2.2.1, which are checked into SVN.

Freeze push requested for Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-19 15:33:25 CET
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated git packages fix security vulnerability:

It was reported that git, when used as a client on a case-insensitive
filesystem, could allow the overwrite of the .git/config file when the client
performed a "git pull".  Because git permitted committing .Git/config (or any
case variation), on the pull this would replace the user's .git/config.  If
this malicious config file contained defined external commands (such as for
invoking and editor or an external diff utility) it could allow for the
execution of arbitrary code with the privileges of the user running the git
client (CVE-2014-9390).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390
http://article.gmane.org/gmane.linux.kernel/1853266
https://bugzilla.redhat.com/show_bug.cgi?id=1175960
========================

Updated packages in core/updates_testing:
========================
git-1.8.5.6-1.mga4
git-core-1.8.5.6-1.mga4
gitk-1.8.5.6-1.mga4
gitview-1.8.5.6-1.mga4
libgit-devel-1.8.5.6-1.mga4
git-svn-1.8.5.6-1.mga4
git-cvs-1.8.5.6-1.mga4
git-arch-1.8.5.6-1.mga4
git-email-1.8.5.6-1.mga4
perl-Git-1.8.5.6-1.mga4
git-core-oldies-1.8.5.6-1.mga4
gitweb-1.8.5.6-1.mga4
git-prompt-1.8.5.6-1.mga4

from git-1.8.5.6-1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2014-12-20 13:37:59 CET
Philippe, just FYI, this issue also affects mercurial:
http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29

It's technically a non-issue for Linux.  However, what the git people said in their announcement made it sound like updating it on Linux protects any users using that server (not 100% sure if that's right, but it would make sense), which is why I updated git.  I'll let you decide about mercurial.

CC: (none) => makowski.mageia

Comment 3 olivier charles 2014-12-20 17:34:14 CET
Testing on Mageia4x32 real hardware 
Following procedure from Claire here :
https://bugs.mageia.org/show_bug.cgi?id=9255#c2

As mageia uses a case-sensitive system, I gathered I just had to verify git update could install well and run as before.


From current package :
--------------------
git-1.8.4.5-1.mga4

Made some configurations first to be able to follow procedure
$ git config --global user.email olchal@gmail.com
$ git config --global user.name zitounu

Edited ~/.gitconfig 
and added :
[imap]
        folder = "INBOX"
        host = imaps://imap.gmail.com
        user = olchal@gmail.com
        port = 993
        sslverify = false

Following procedure could initialize a repository, add a message, make some changes and send (and receive) messages through gmail.

Updated to testing packages :
---------------------------
git-1.8.5.6-1.mga4
and dependencies

Could find previous repository, add message, send it.



All OK

Whiteboard: (none) => MGA4-32-OK
CC: (none) => olchal

claire robinson 2014-12-21 17:26:45 CET

Whiteboard: MGA4-32-OK => has_procedure MGA4-32-OK

Comment 4 Rémi Verschelde 2014-12-23 11:13:13 CET
Advisory uploaded.

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK advisory

Comment 5 Herman Viaene 2014-12-23 11:46:12 CET
MGA4-64 on HP Probook 6555b
Installation no problem.
Managed to create a repository and commit a file in it, but there stops my git experience.

CC: (none) => herman.viaene

Comment 6 claire robinson 2014-12-23 12:15:08 CET
Testing complete mga4 64

Followed..
https://bugs.mageia.org/show_bug.cgi?id=9255#c2

and did a pull from github



Validating. Please push to updates. Thanks

Whiteboard: has_procedure MGA4-32-OK advisory => has_procedure MGA4-32-OK mga4-64-ok advisory
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2014-12-23 21:36:07 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0546.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-12-24 18:48:31 CET

URL: (none) => http://lwn.net/Vulnerabilities/627591/


Note You need to log in before you can comment on or make changes to this bug.