Bug 18013 - git new security issues CVE-2016-2324 and CVE-2016-2315
Summary: git new security issues CVE-2016-2324 and CVE-2016-2315
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/680320/
Whiteboard: advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-03-15 17:22 CET by David Walser
Modified: 2016-03-25 07:39 CET (History)
7 users (show)

See Also:
Source RPM: git-2.3.10-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-03-15 17:22:21 CET
Some details on security issues fixed in git 2.7.1 were released today (March 15):
http://openwall.com/lists/oss-security/2016/03/15/5

The commit 34fa79a they mention never made it into the 2.3.10 release, which we have in Mageia 5, and commits were not listed for the fixes in 2.7.1 that fully fixed these issues.

The 2.3 branch has not had any more releases.  I'd guess we just need to update to 2.7.3, but I don't know if updating Mageia 5 to the 2.7 branch would cause any issues.
David Walser 2016-03-15 17:22:39 CET

CC: (none) => mageia, thierry.vignaud, tmb

Comment 1 Colin Guthrie 2016-03-15 17:26:25 CET
Personally, I don't think we need to worry about updating to 2.7.3. I've generally followed cauldron and work quite a lot with various git repos and never had an issue.

I vote we just update MGA5 to latest version. Any objections?

Note we should also rebuild/update cgit as part of this change too (I think it's already updated to newer git in MGA5 but probably still needs updating - and at very least checked).
Comment 2 David Walser 2016-03-15 17:27:44 CET
Thanks for the reminder about cgit.  I suspect updating to 2.7.3 should be just fine as well.
Comment 3 Shlomi Fish 2016-03-15 18:21:34 CET
I support updating to git-2.7.3 as well.
Comment 4 Shlomi Fish 2016-03-16 11:09:17 CET
(In reply to David Walser from comment #2)
> Thanks for the reminder about cgit.  I suspect updating to 2.7.3 should be
> just fine as well.

Can I proceed with upgrading git to 2.7.3 in Mageia v5? There seems to be a consensus that it's the best way.

Regards,

-- Shlomi Fish
Comment 5 David Walser 2016-03-16 11:32:25 CET
Thanks Shlomi.  Yes, please proceed.

Colin, would you mind taking care of cgit?
Comment 6 Colin Guthrie 2016-03-16 11:34:13 CET
(In reply to David Walser from comment #5)
> Colin, would you mind taking care of cgit?

Will do!
Comment 7 Colin Guthrie 2016-03-16 11:52:09 CET
cgit-0.12-1.2.mga5 on it's way to updates_testing
Comment 8 Shlomi Fish 2016-03-16 14:37:45 CET
git-2.7.3-1.mga5 was submitted to 5 core/updates_testing.
Comment 9 David Walser 2016-03-16 14:44:37 CET
Thanks Shlomi and Colin!

Advisory:
========================

Updated git and cgit packages fix security vulnerabilities:

There is a buffer overflow vulnerability possibly leading to remote code
execution in git. It can happen while pushing or cloning a repository with a
large filename or a large number of nested trees (CVE-2016-2315,
CVE-2016-2324).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324
https://bugzilla.redhat.com/show_bug.cgi?id=1317981
http://openwall.com/lists/oss-security/2016/03/15/5
========================

Updated packages in core/updates_testing:
========================
git-2.7.3-1.mga5
git-core-2.7.3-1.mga5
gitk-2.7.3-1.mga5
gitview-2.7.3-1.mga5
libgit-devel-2.7.3-1.mga5
git-svn-2.7.3-1.mga5
git-cvs-2.7.3-1.mga5
git-arch-2.7.3-1.mga5
git-email-2.7.3-1.mga5
perl-Git-2.7.3-1.mga5
git-core-oldies-2.7.3-1.mga5
gitweb-2.7.3-1.mga5
git-prompt-2.7.3-1.mga5
cgit-0.12-1.1.mga5

from SRPMS:
git-2.7.3-1.mga5.src.rpm
cgit-0.12-1.1.mga5.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

David Walser 2016-03-16 14:44:55 CET

Severity: normal => critical

Comment 10 David Walser 2016-03-16 15:02:44 CET
Here is a good explanation of the security issues:
http://www.theregister.co.uk/2016/03/16/git_server_client_patch_now/
Comment 11 David Walser 2016-03-16 15:11:53 CET
More fleshed out advisory.

Advisory:
========================

Updated git and cgit packages fix security vulnerabilities:

There is a buffer overflow vulnerability possibly leading to remote code
execution in git. It can happen while pushing or cloning a repository with a
large filename or a large number of nested trees (CVE-2016-2315,
CVE-2016-2324).

The git package has been updated to version 2.7.3, which fixes this issue, as
well as several other bugs.

The cgit package bundles git, and its bundled copy of git has also been
updated to version 2.7.3.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.4.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.5.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.2.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.3.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.4.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.1.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.2.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.3.txt
https://bugzilla.redhat.com/show_bug.cgi?id=1317981
http://openwall.com/lists/oss-security/2016/03/15/5
Comment 12 David Walser 2016-03-16 15:21:14 CET
The original reporter just pointed out that even 2.7.3 didn't include the CVE-2016-2324 fix(es), so we need to update these again:
http://openwall.com/lists/oss-security/2016/03/16/9

Hopefully 2.7.4 will be rolled out soon!

Whiteboard: (none) => feedback

David Walser 2016-03-16 19:18:37 CET

URL: (none) => http://lwn.net/Vulnerabilities/680320/

Comment 13 David Walser 2016-03-18 14:31:52 CET
git 2.7.4 is now available.  Please update git and cgit again.
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.4.txt
Comment 14 David Walser 2016-03-18 14:34:24 CET
If anyone wants to try a reproducer, see here:
http://openwall.com/lists/oss-security/2016/03/18/1

I don't think it's necessary for testing the update, but it's there for the curious.
Comment 15 David Walser 2016-03-18 19:53:35 CET
Updated (again) packages uploaded for Mageia 5 and Cauldron.

Thanks Shlomi for the git update.

Advisory:
========================

Updated git and cgit packages fix security vulnerabilities:

There is a buffer overflow vulnerability possibly leading to remote code
execution in git. It can happen while pushing or cloning a repository with a
large filename or a large number of nested trees (CVE-2016-2315,
CVE-2016-2324).

The git package has been updated to version 2.7.4, which fixes this issue, as
well as several other bugs.

The cgit package bundles git, and its bundled copy of git has also been
updated to version 2.7.4.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.4.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.5.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.2.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.3.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.4.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.0.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.1.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.2.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.3.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.4.txt
https://bugzilla.redhat.com/show_bug.cgi?id=1317981
http://openwall.com/lists/oss-security/2016/03/15/5
http://openwall.com/lists/oss-security/2016/03/16/9
========================

Updated packages in core/updates_testing:
========================
git-2.7.4-1.mga5
git-core-2.7.4-1.mga5
gitk-2.7.4-1.mga5
gitview-2.7.4-1.mga5
libgit-devel-2.7.4-1.mga5
git-svn-2.7.4-1.mga5
git-cvs-2.7.4-1.mga5
git-arch-2.7.4-1.mga5
git-email-2.7.4-1.mga5
perl-Git-2.7.4-1.mga5
git-core-oldies-2.7.4-1.mga5
gitweb-2.7.4-1.mga5
git-prompt-2.7.4-1.mga5
cgit-0.12-1.2.mga5

from SRPMS:
git-2.7.4-1.mga5.src.rpm
cgit-0.12-1.2.mga5.src.rpm

Whiteboard: feedback => (none)

Dave Hodgins 2016-03-21 00:07:08 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 16 Herman Viaene 2016-03-24 14:38:50 CET
MGA5-32 on Acer D620 Xfce
No installation issues
I created a new account (didn't have one before) and put three files in hello-world and cloned this one along the lines of the procedure in bug16913. Seems to work OK.

CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK

Comment 17 claire robinson 2016-03-24 22:34:56 CET
Validating. Advisory is current.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 18 Mageia Robot 2016-03-25 07:39:40 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0119.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.