Upstream has issued an advisory today (December 18): http://article.gmane.org/gmane.linux.kernel/1853266 Github has some info on this too: https://github.com/blog/1938-vulnerability-announced-update-your-git-clients The issue is fixed upstream in 1.8.5.6 and 2.2.1, which are checked into SVN. Freeze push requested for Cauldron. Reproducible: Steps to Reproduce:
Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated git packages fix security vulnerability: It was reported that git, when used as a client on a case-insensitive filesystem, could allow the overwrite of the .git/config file when the client performed a "git pull". Because git permitted committing .Git/config (or any case variation), on the pull this would replace the user's .git/config. If this malicious config file contained defined external commands (such as for invoking and editor or an external diff utility) it could allow for the execution of arbitrary code with the privileges of the user running the git client (CVE-2014-9390). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390 http://article.gmane.org/gmane.linux.kernel/1853266 https://bugzilla.redhat.com/show_bug.cgi?id=1175960 ======================== Updated packages in core/updates_testing: ======================== git-1.8.5.6-1.mga4 git-core-1.8.5.6-1.mga4 gitk-1.8.5.6-1.mga4 gitview-1.8.5.6-1.mga4 libgit-devel-1.8.5.6-1.mga4 git-svn-1.8.5.6-1.mga4 git-cvs-1.8.5.6-1.mga4 git-arch-1.8.5.6-1.mga4 git-email-1.8.5.6-1.mga4 perl-Git-1.8.5.6-1.mga4 git-core-oldies-1.8.5.6-1.mga4 gitweb-1.8.5.6-1.mga4 git-prompt-1.8.5.6-1.mga4 from git-1.8.5.6-1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Philippe, just FYI, this issue also affects mercurial: http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29 It's technically a non-issue for Linux. However, what the git people said in their announcement made it sound like updating it on Linux protects any users using that server (not 100% sure if that's right, but it would make sense), which is why I updated git. I'll let you decide about mercurial.
CC: (none) => makowski.mageia
Testing on Mageia4x32 real hardware Following procedure from Claire here : https://bugs.mageia.org/show_bug.cgi?id=9255#c2 As mageia uses a case-sensitive system, I gathered I just had to verify git update could install well and run as before. From current package : -------------------- git-1.8.4.5-1.mga4 Made some configurations first to be able to follow procedure $ git config --global user.email olchal@gmail.com $ git config --global user.name zitounu Edited ~/.gitconfig and added : [imap] folder = "INBOX" host = imaps://imap.gmail.com user = olchal@gmail.com port = 993 sslverify = false Following procedure could initialize a repository, add a message, make some changes and send (and receive) messages through gmail. Updated to testing packages : --------------------------- git-1.8.5.6-1.mga4 and dependencies Could find previous repository, add message, send it. All OK
Whiteboard: (none) => MGA4-32-OKCC: (none) => olchal
Whiteboard: MGA4-32-OK => has_procedure MGA4-32-OK
Advisory uploaded.
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK advisory
MGA4-64 on HP Probook 6555b Installation no problem. Managed to create a repository and commit a file in it, but there stops my git experience.
CC: (none) => herman.viaene
Testing complete mga4 64 Followed.. https://bugs.mageia.org/show_bug.cgi?id=9255#c2 and did a pull from github Validating. Please push to updates. Thanks
Whiteboard: has_procedure MGA4-32-OK advisory => has_procedure MGA4-32-OK mga4-64-ok advisoryCC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0546.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/627591/