Fedora has issued an advisory on November 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E74SITDDPAHRFJZ6NCMSIH3SXTJWBYU3/ Mageia 5 and Mageia 6 are also affected.
The RedHat bug has a link to the upstream commit that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1510455
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Hi. Updates pushed to updates_testing for MGA5 and MGA6. Cauldron has the latest version, 2.15.0. git-2.7.6-1.1.mga5 git-2.13.6-1.1.mga6 Cheers, Stig
CC: (none) => smelror
Advisory: ======================== Updated git packages fix security vulnerability: Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk (CVE-2017-15298). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15298 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E74SITDDPAHRFJZ6NCMSIH3SXTJWBYU3/ ======================== Updated packages in core/updates_testing: ======================== git-2.7.6-1.1.mga5 git-core-2.7.6-1.1.mga5 gitk-2.7.6-1.1.mga5 gitview-2.7.6-1.1.mga5 libgit-devel-2.7.6-1.1.mga5 git-svn-2.7.6-1.1.mga5 git-cvs-2.7.6-1.1.mga5 git-arch-2.7.6-1.1.mga5 git-email-2.7.6-1.1.mga5 perl-Git-2.7.6-1.1.mga5 git-core-oldies-2.7.6-1.1.mga5 gitweb-2.7.6-1.1.mga5 git-prompt-2.7.6-1.1.mga5 git-2.13.6-1.1.mga6 git-core-2.13.6-1.1.mga6 gitk-2.13.6-1.1.mga6 libgit-devel-2.13.6-1.1.mga6 git-svn-2.13.6-1.1.mga6 git-cvs-2.13.6-1.1.mga6 git-arch-2.13.6-1.1.mga6 git-email-2.13.6-1.1.mga6 perl-Git-2.13.6-1.1.mga6 perl-Git-SVN-2.13.6-1.1.mga6 git-core-oldies-2.13.6-1.1.mga6 gitweb-2.13.6-1.1.mga6 git-prompt-2.13.6-1.1.mga6 from SRPMS: git-2.7.6-1.1.mga5.src.rpm git-2.13.6-1.1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6Assignee: shlomif => qa-bugsCC: (none) => shlomif
In VirtualBox, M6, Mate, 64-bit Package(s) under test: git git-core git-cvs git-email git-prompt default install of git git-core git-cvs git-email git-prompt [root@localhost wilcal]# urpmi git Package git-2.13.6-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi git-core Package git-core-2.13.6-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi git-cvs Package git-cvs-2.13.6-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi git-email Package git-email-2.13.6-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi git-prompt Package git-prompt-2.13.6-1.mga6.x86_64 is already installed [wilcal@localhost ~]$ git init Initialized empty Git repository in /home/wilcal/.git/ [wilcal@localhost ~ (master)]$ git config --global user.name "wilcal" [wilcal@localhost ~ (master)]$ git config --global user.email "wilcal.int@gmail.com" [wilcal@localhost Documents (master)]$ git add test_file_1.pdf Seems to be responding normaly, no error messages. I'm even more of a git neophite. Anyone else is welcome to work the bug before I validate it. install git git-core git-cvs git-email git-prompt from updates_testing [root@localhost wilcal (master)]# urpmi git Package git-2.13.6-1.1.mga6.x86_64 is already installed [root@localhost wilcal (master)]# urpmi git-core Package git-core-2.13.6-1.1.mga6.x86_64 is already installed [root@localhost wilcal (master)]# urpmi git-cvs Package git-cvs-2.13.6-1.1.mga6.x86_64 is already installed [root@localhost wilcal (master)]# urpmi git-email Package git-email-2.13.6-1.1.mga6.x86_64 is already installed [root@localhost wilcal (master)]# urpmi git-prompt Package git-prompt-2.13.6-1.1.mga6.x86_64 is already installed [wilcal@localhost ~]$ git init Initialized empty Git repository in /home/wilcal/.git/ [wilcal@localhost ~ (master)]$ git config --global user.name "wilcal" [wilcal@localhost ~ (master)]$ git config --global user.email "wilcal.int@gmail.com" [wilcal@localhost Documents (master)]$ git add test_file_2.pdf Seems to be responding normaly, no error messages.
CC: (none) => wilcal.int
In VirtualBox, M6, Mate, 32-bit Package(s) under test: git git-core git-cvs git-email git-prompt default install of git git-core git-cvs git-email git-prompt [root@localhost wilcal]# urpmi git Package git-2.13.6-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi git-core Package git-core-2.13.6-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi git-cvs Package git-cvs-2.13.6-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi git-email Package git-email-2.13.6-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi git-prompt Package git-prompt-2.13.6-1.mga6.i586 is already installed [wilcal@localhost ~]$ git init Initialized empty Git repository in /home/wilcal/.git/ [wilcal@localhost ~ (master)]$ git config --global user.name "wilcal" [wilcal@localhost ~ (master)]$ git config --global user.email "wilcal.int@gmail.com" [wilcal@localhost Documents (master)]$ git add test_file_1.jpg Seems to be responding normally, no error messages. I'm even more of a git neophite. Anyone else is welcome to work the bug before I validate it. install git git-core git-cvs git-email git-prompt from updates_testing [root@localhost wilcal (master)]# urpmi git Package git-2.13.6-1.1.mga6.i586 is already installed [root@localhost wilcal (master)]# urpmi git-core Package git-core-2.13.6-1.1.mga6.i586 is already installed [root@localhost wilcal (master)]# urpmi git-cvs Package git-cvs-2.13.6-1.1.mga6.i586 is already installed [root@localhost wilcal (master)]# urpmi git-email Package git-email-2.13.6-1.1.mga6.i586 is already installed [root@localhost wilcal (master)]# urpmi git-prompt Package git-prompt-2.13.6-1.1.mga6.i586 is already installed [wilcal@localhost ~]$ git init Initialized empty Git repository in /home/wilcal/.git/ [wilcal@localhost ~ (master)]$ git config --global user.name "wilcal" [wilcal@localhost ~ (master)]$ git config --global user.email "wilcal.int@gmail.com" [wilcal@localhost Documents (master)]$ git add test_file_2.jpg Seems to be responding normally, no error messages.
Whiteboard: MGA5TOO => MGA5TOO MGA6-32-OK MGA6-64-OK
In VirtualBox, M5.1, KDE, 64-bit Package(s) under test: git git-core git-cvs git-email git-prompt default install of git git-core git-cvs git-email git-prompt [root@localhost wilcal]# urpmi git Package git-2.7.6-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi git-core Package git-core-2.7.6-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi git-cvs Package git-cvs-2.7.6-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi git-email Package git-email-2.7.6-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi git-prompt Package git-prompt-2.7.6-1.mga5.x86_64 is already installed [wilcal@localhost ~]$ git init Initialized empty Git repository in /home/wilcal/.git/ [wilcal@localhost ~ (master)]$ git config --global user.name "wilcal" [wilcal@localhost ~ (master)]$ git config --global user.email "wilcal.int@gmail.com" [wilcal@localhost Documents (master)]$ git add test_file_1.jpg Seems to be responding normally, no error messages. I'm even more of a git neophite. Anyone else is welcome to work the bug before I validate it. install git git-core git-cvs git-email git-prompt from updates_testing [root@localhost wilcal]# urpmi git Package git-2.7.6-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi git-core Package git-core-2.7.6-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi git-cvs Package git-cvs-2.7.6-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi git-email Package git-email-2.7.6-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi git-prompt Package git-prompt-2.7.6-1.1.mga5.x86_64 is already installed [wilcal@localhost ~]$ git init Initialized empty Git repository in /home/wilcal/.git/ [wilcal@localhost ~ (master)]$ git config --global user.name "wilcal" [wilcal@localhost ~ (master)]$ git config --global user.email "wilcal.int@gmail.com" [wilcal@localhost Documents (master)]$ git add test_file_2.jpg Seems to be responding normally, no error messages.
Whiteboard: MGA5TOO MGA6-32-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-32-OK MGA6-64-OK
Installed and tested without issue. Tests included normal git use, with plenty of commits, pull, pushes and also some init and clone. System: Mageia 5, x86_64, Intel CPU. $ uname -a Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | egrep ^git | sort git-2.7.6-1.1.mga5 git-arch-2.7.6-1.1.mga5 git-core-2.7.6-1.1.mga5 git-core-oldies-2.7.6-1.1.mga5 git-cvs-2.7.6-1.1.mga5 git-email-2.7.6-1.1.mga5 gitk-2.7.6-1.1.mga5 git-prompt-2.7.6-1.1.mga5 git-svn-2.7.6-1.1.mga5
CC: (none) => mageia
(In reply to PC LX from comment #8) > Tests included normal git use, with plenty of commits, pull, pushes and also > some init and clone. Seems a bit over the top compared with what's been done in the past. Almost finished with my bit.
In VirtualBox, M5.1, KDE, 32-bit Package(s) under test: git git-core git-cvs git-email git-prompt default install of git git-core git-cvs git-email git-prompt [root@localhost wilcal]# urpmi git Package git-2.7.6-1.mga5.i586 is already installed u[root@localhost wilcal]# urpmi git-core Package git-core-2.7.6-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi git-cvs Package git-cvs-2.7.6-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi git-email Package git-email-2.7.6-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi git-prompt Package git-prompt-2.7.6-1.mga5.i586 is already installed [wilcal@localhost ~]$ git init Initialized empty Git repository in /home/wilcal/.git/ [wilcal@localhost ~ (master)]$ git config --global user.name "wilcal" [wilcal@localhost ~ (master)]$ git config --global user.email "wilcal.int@gmail.com" [wilcal@localhost Documents (master)]$ git add test_file_1.txt Seems to be responding normally, no error messages. I'm even more of a git neophite. Anyone else is welcome to work the bug before I validate it. install git git-core git-cvs git-email git-prompt from updates_testing [root@localhost Documents (master)]# urpmi git Package git-2.7.6-1.1.mga5.i586 is already installed [root@localhost Documents (master)]# urpmi git-core Package git-core-2.7.6-1.1.mga5.i586 is already installed [root@localhost Documents (master)]# urpmi git-cvs Package git-cvs-2.7.6-1.1.mga5.i586 is already installed [root@localhost Documents (master)]# urpmi git-email Package git-email-2.7.6-1.1.mga5.i586 is already installed [root@localhost Documents (master)]# urpmi git-prompt Package git-prompt-2.7.6-1.1.mga5.i586 is already installed [wilcal@localhost ~]$ git init Initialized empty Git repository in /home/wilcal/.git/ [wilcal@localhost ~ (master)]$ git config --global user.name "wilcal" [wilcal@localhost ~ (master)]$ git config --global user.email "wilcal.int@gmail.com" [wilcal@localhost Documents (master)]$ git add test_file_2.txt Seems to be responding normally, no error messages.
Whiteboard: MGA5TOO MGA5-64-OK MGA6-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0440.html
Status: NEW => RESOLVEDResolution: (none) => FIXED