Bug 16913 - git 2.3.10 security update (including CVE-2015-7545)
Summary: git 2.3.10 security update (including CVE-2015-7545)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/660668/
Whiteboard: advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-10-06 19:51 CEST by David Walser
Modified: 2015-12-08 16:17 CET (History)
3 users (show)

See Also:
Source RPM: git-2.3.8-1.mga5.src.rpm
CVE:
Status comment:


Attachments
The Git test procedure that I used in the output of the script command. (14.02 KB, text/plain)
2015-10-10 15:03 CEST, Shlomi Fish
Details

Description David Walser 2015-10-06 19:51:21 CEST
A CVE was requested for a fix in git 2.3.10 and 2.6.1:
http://openwall.com/lists/oss-security/2015/10/06/1

git 2.3.9 and 2.3.10 also contain fixes for potential overflow issues.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
----------------------------------------

The git package has been updated to version 2.3.10, fixing a few security
issues.  These include buffer and integer overflow issues with long file path
names and large files, as well as a remote code execution flaw with some
protocols like git-remote-ext and specially crafted URLs.  See the upstream
release notes for details.

References:
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.3.9.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.3.10.txt
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
git-2.3.10-1.mga5
git-core-2.3.10-1.mga5
gitk-2.3.10-1.mga5
gitview-2.3.10-1.mga5
libgit-devel-2.3.10-1.mga5
git-svn-2.3.10-1.mga5
git-cvs-2.3.10-1.mga5
git-arch-2.3.10-1.mga5
git-email-2.3.10-1.mga5
perl-Git-2.3.10-1.mga5
git-core-oldies-2.3.10-1.mga5
gitweb-2.3.10-1.mga5
git-prompt-2.3.10-1.mga5

from git-2.3.10-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Dave Hodgins 2015-10-09 00:29:33 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 Shlomi Fish 2015-10-10 15:01:52 CEST
Since there was no Proof-of-Concept , I just tested normal git use in an x86-64 VM. Adding MGA5-64-OK . I'll attach the output of the script file (possibly useful as a future procedure) soon.

CC: (none) => shlomif
Whiteboard: advisory => advisory MGA5-64-OK

Comment 2 Shlomi Fish 2015-10-10 15:03:26 CEST
Created attachment 7111 [details]
The Git test procedure that I used in the output of the script command.
Comment 3 David Walser 2015-10-10 15:15:02 CEST
Can anyone verify that Bug 16861 does not affect this update?
Comment 4 Shlomi Fish 2015-10-11 10:03:08 CEST
(In reply to David Walser from comment #3)
> Can anyone verify that Bug 16861 does not affect this update?

git works fine in an English locale, and from what I know , gitk is not necessary to use git, so it seems like a separate issue.
Comment 5 claire robinson 2015-10-12 09:17:19 CEST
Validating. Thanks.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-10-13 19:49:47 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0396.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-10-14 19:23:28 CEST

URL: (none) => http://lwn.net/Vulnerabilities/660668/

Comment 7 David Walser 2015-12-08 16:17:09 CET
(In reply to David Walser from comment #0)
> as well as a remote code execution flaw with some protocols like
> git-remote-ext and specially crafted URLs

This issue has been assigned CVE-2015-7545:
http://openwall.com/lists/oss-security/2015/12/08/5

Summary: git 2.3.10 security update => git 2.3.10 security update (including CVE-2015-7545)


Note You need to log in before you can comment on or make changes to this bug.