Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted login shell for Git-only SSH access, allows a user to run an interactive pager by causing it to spawn "git upload-pack --help".
(In reply to Zombie Ryushu from comment #0) > Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted > login shell for Git-only SSH access, allows a user to run an interactive > pager by causing it to spawn "git upload-pack --help". Is this vulnerability present in the recent 2.13.0?
CC: (none) => smelror
(In reply to Stig-Ørjan Smelror from comment #1) > (In reply to Zombie Ryushu from comment #0) > > Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted > > login shell for Git-only SSH access, allows a user to run an interactive > > pager by causing it to spawn "git upload-pack --help". > > Is this vulnerability present in the recent 2.13.0? It got fixed https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13.0.txt Changing component to Security and assigning to the registered maintainer. (The CVE is still reserved, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386 )
CC: (none) => marja11Component: RPM Packages => SecurityWhiteboard: (none) => MGA5TOOAssignee: bugsquad => shlomifVersion: 5 => CauldronQA Contact: (none) => security
(In reply to Marja van Waes from comment #2) > (In reply to Stig-Ørjan Smelror from comment #1) > > (In reply to Zombie Ryushu from comment #0) > > > Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted > > > login shell for Git-only SSH access, allows a user to run an interactive > > > pager by causing it to spawn "git upload-pack --help". > > > > Is this vulnerability present in the recent 2.13.0? > > It got fixed > https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13. > 0.txt > > Changing component to Security and assigning to the registered maintainer. > > > (The CVE is still reserved, > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386 ) git-2.13.0 was pushed to Cauldron. Can I upgrade it to 2.13.0 on mageia v5 as well?
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Link to the actual Debian advisory from May 10: https://www.debian.org/security/2017/dsa-3848 They backported a patch, so we may be able to use it for Mageia 5.
CC: (none) => luigiwalser
(In reply to David Walser from comment #4) > Link to the actual Debian advisory from May 10: > https://www.debian.org/security/2017/dsa-3848 > > They backported a patch, so we may be able to use it for Mageia 5. Thanks, David! I built a new git-2.7.4-1.1mga5 package for mageia 5 core/updates_testing. Assigning to QA for testing. We also need to write an advisory.
Assignee: shlomif => qa-bugs
Thanks Shlomi! Advisory: ======================== Updated git packages fix security vulnerability: Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted login shell for Git-only SSH access, allows a user to run an interactive pager by causing it to spawn "git upload-pack --help" (CVE-2017-8386). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386 https://www.debian.org/security/2017/dsa-3848 ======================== Updated packages in core/updates_testing: ======================== git-2.7.4-1.1.mga5 git-core-2.7.4-1.1.mga5 gitk-2.7.4-1.1.mga5 gitview-2.7.4-1.1.mga5 libgit-devel-2.7.4-1.1.mga5 git-svn-2.7.4-1.1.mga5 git-cvs-2.7.4-1.1.mga5 git-arch-2.7.4-1.1.mga5 git-email-2.7.4-1.1.mga5 perl-Git-2.7.4-1.1.mga5 git-core-oldies-2.7.4-1.1.mga5 gitweb-2.7.4-1.1.mga5 git-prompt-2.7.4-1.1.mga5 from git-2.7.4-1.1.mga5.src.rpm
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
To satisfy dependencies, the following package(s) also need to be installed: - cvs-1.12.13-25.mga5.i586 - cvsps-2.2b1-6.mga5.i586 - git-arch-2.7.4-1.1.mga5.i586 - git-core-2.7.4-1.1.mga5.i586 - git-core-oldies-2.7.4-1.1.mga5.i586 - git-cvs-2.7.4-1.1.mga5.i586 - git-email-2.7.4-1.1.mga5.i586 - git-prompt-2.7.4-1.1.mga5.i586 - git-svn-2.7.4-1.1.mga5.i586 - gitk-2.7.4-1.1.mga5.i586 - libapr-util1_0-1.5.4-4.mga5.i586 - libapr1_0-1.5.1-3.mga5.i586 - libserf1-1.3.8-1.mga5.i586 - libsvn0-1.8.17-1.mga5.i586 - perl-Authen-SASL-2.160.0-5.mga5.noarch - perl-Digest-HMAC-1.30.0-6.mga5.noarch - perl-Digest-SHA1-2.130.0-15.mga5.i586 - perl-Error-0.170.220-4.mga5.noarch - perl-Git-2.7.4-1.1.mga5.i586 - perl-MIME-Base64-3.140.0-7.mga5.i586 - perl-SVN-1.8.17-1.mga5.i586 - perl-YAML-1.110.0-5.2.mga5.noarch - subversion-1.8.17-1.mga5.i586 - tk-8.5.15-3.mga5.i586 54MB of additional disk space will be used. This may be the easiest instructions for git you can have (forgive his language): http://rogerdudler.github.io/git-guide/ FYI do this in a VM unless you want home under git influence. $ git init configure git some $ git config --global user.name "your name" $ git config --global user.email "yourEmail@serviceyouuse.com" Now I'm listing out some files on the VM I can save in git. I'll pick one. [brian@localhost Documents (master)]$ ls git271.odt openvpn2316.odt $ git add openvpn2316.odt [brian@localhost Documents (master)]$ git commit -m "Commit message"[master (root-commit) b1dcabf] Commit message 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Documents/openvpn2316.odt Seems to be working as designed. I am a git neophyte who has used it on a small cloud project, that's about it. Developers chime in.
CC: (none) => brtians1Whiteboard: advisory => advisory mga5-32-ok
$ uname -a Linux localhost 4.4.68-desktop-1.mga5 #1 SMP Sun May 14 17:56:12 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux To satisfy dependencies, the following package(s) also need to be installed: - cvs-1.12.13-25.mga5.x86_64 - cvsps-2.2b1-6.mga5.x86_64 - git-arch-2.7.4-1.1.mga5.x86_64 - git-core-2.7.4-1.1.mga5.x86_64 - git-core-oldies-2.7.4-1.1.mga5.x86_64 - git-cvs-2.7.4-1.1.mga5.x86_64 - git-email-2.7.4-1.1.mga5.x86_64 - git-prompt-2.7.4-1.1.mga5.x86_64 - git-svn-2.7.4-1.1.mga5.x86_64 - gitk-2.7.4-1.1.mga5.x86_64 - lib64serf1-1.3.8-1.mga5.x86_64 - lib64svn0-1.8.17-1.mga5.x86_64 - perl-Authen-SASL-2.160.0-5.mga5.noarch - perl-Digest-HMAC-1.30.0-6.mga5.noarch - perl-Digest-SHA1-2.130.0-15.mga5.x86_64 - perl-Error-0.170.220-4.mga5.noarch - perl-Git-2.7.4-1.1.mga5.x86_64 - perl-MIME-Base64-3.140.0-7.mga5.x86_64 - perl-SVN-1.8.17-1.mga5.x86_64 - perl-YAML-1.110.0-5.2.mga5.noarch - subversion-1.8.17-1.mga5.x86_64 - tk-8.5.15-3.mga5.x86_64 51MB of additional disk space will be used. $ git add git27411_backup.odt $ git commit -m "gitbackup" [master (root-commit) 7acde0b] gitbackup 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Documents/git27411_backup.odt $ git checkout -b git_doc D Documents/git27411_backup.odt Switched to a new branch 'git_doc' $ git pull fatal: No remote repository specified. Please, specify either a URL or a remote name from which new revisions should be fetched. $ git checkout master D Documents/git27411_backup.odt Switched to branch 'master' $ git checkout – git27411_backup.odt ----updated doc with these changes. $ git add git27411_backup.odt $ git commit -m "gitbackup2" [master 24ff497] gitbackup2 1 file changed, 0 insertions(+), 0 deletions(-) rewrite Documents/git27411_backup.odt (77%) ------------ Working as designed
Whiteboard: advisory mga5-32-ok => advisory mga5-32-ok mga5-64-ok
@Brian Thank you for testing this update on both architectures. Am validating.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0153.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED