23096 – git new security issue CVE-2018-11235

Bug 23096 - git new security issue CVE-2018-11235

Summary: git new security issue CVE-2018-11235

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-05-29 21:59 CEST by David Walser
Modified:	2018-06-03 13:03 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	git-2.13.6-1.1.mga6.src.rpm
CVE:
Status comment:	Fixed upstream in 2.13.7

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-05-29 21:59:08 CEST

New versions of git have been announced today:
http://lkml.iu.edu/hypermail/linux/kernel/1805.3/05909.html

Version 2.13.7 fixes two security issues.

David Walser 2018-05-29 21:59:23 CEST

Status comment: (none) => Fixed upstream in 2.13.7

Comment 1 Marja Van Waes 2018-05-30 07:08:27 CEST

Assigning to our registered git maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2018-05-30 13:19:00 CEST

(In reply to Marja Van Waes from comment #1)
> Assigning to our registered git maintainer.

thanks! I submitted git-2.13.7-1.mga6 to updates_testing.

Status: NEW => ASSIGNED
Assignee: shlomif => qa-bugs

Comment 3 David Walser 2018-05-30 17:53:02 CEST

Advisory:
========================

Updated git packages fix security vulnerabilities:

It was possible to trick the code that sanity-checks paths on NTFS into reading
random piece of memory (CVE-2018-11233).

Submodule "names" come from the untrusted .gitmodules file, but we blindly
append them to $GIT_DIR/modules to create our on-disk repo paths. This means you
can do bad things by putting "../" into the name. We now enforce some rules for
submodule names which will cause Git to ignore these malicious names
(CVE-2018-11235).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235
http://lkml.iu.edu/hypermail/linux/kernel/1805.3/05909.html
========================

Updated packages in core/updates_testing:
========================
git-2.13.7-1.mga6
git-core-2.13.7-1.mga6
gitk-2.13.7-1.mga6
libgit-devel-2.13.7-1.mga6
git-svn-2.13.7-1.mga6
git-cvs-2.13.7-1.mga6
git-arch-2.13.7-1.mga6
git-email-2.13.7-1.mga6
perl-Git-2.13.7-1.mga6
perl-Git-SVN-2.13.7-1.mga6
git-core-oldies-2.13.7-1.mga6
gitweb-2.13.7-1.mga6
git-prompt-2.13.7-1.mga6

from git-2.13.7-1.mga6.src.rpm

Comment 4 PC LX 2018-06-01 11:51:40 CEST

Installed and tested without issues.

Tests included the usual operations (e.g. commit, diff, status, log, clone, push, pull) in local and remote repositories (e.g. ssh, https).

$ uname -a
Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep '^git|^lib(64)?git' | sort                                                                                                                                    
git-2.13.7-1.mga6
git-arch-2.13.7-1.mga6
git-core-2.13.7-1.mga6
git-core-oldies-2.13.7-1.mga6
git-cvs-2.13.7-1.mga6
git-email-2.13.7-1.mga6
gitk-2.13.7-1.mga6
git-prompt-2.13.7-1.mga6
git-svn-2.13.7-1.mga6
lib64git2_25-0.25.0-1.mga6

CC: (none) => mageia

PC LX 2018-06-01 11:51:54 CEST

Whiteboard: (none) => MGA6-64-OK

Thomas Backlund 2018-06-03 12:22:57 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 5 Mageia Robot 2018-06-03 13:03:23 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0267.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.