Bug 23642 - git new security issue CVE-2018-17456
Summary: git new security issue CVE-2018-17456
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-06 11:14 CEST by Thomas Backlund
Modified: 2018-10-14 02:59 CEST (History)
4 users (show)

See Also:
Source RPM: git-2.13.7-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description Thomas Backlund 2018-10-06 11:14:02 CEST
Advisory:
joernchen of Phenoelit discovered that git is prone to an arbitrary code
execution vulnerability due to insufficient validation of submodule url
and path via a specially crafted .gitmodules file in a project cloned
with --recurse-submodules (CVE-2018-17456).


SRPM:
git-2.13.7-1.2.mga6.src.rpm


i586:
git-2.13.7-1.2.mga6.i586.rpm
git-arch-2.13.7-1.2.mga6.i586.rpm
git-core-2.13.7-1.2.mga6.i586.rpm
git-core-oldies-2.13.7-1.2.mga6.i586.rpm
git-cvs-2.13.7-1.2.mga6.i586.rpm
git-email-2.13.7-1.2.mga6.i586.rpm
gitk-2.13.7-1.2.mga6.i586.rpm
git-prompt-2.13.7-1.2.mga6.i586.rpm
git-svn-2.13.7-1.2.mga6.i586.rpm
gitweb-2.13.7-1.2.mga6.i586.rpm
libgit-devel-2.13.7-1.2.mga6.i586.rpm
perl-Git-2.13.7-1.2.mga6.i586.rpm
perl-Git-SVN-2.13.7-1.2.mga6.i586.rpm


x86_64:
git-2.13.7-1.2.mga6.x86_64.rpm
git-arch-2.13.7-1.2.mga6.x86_64.rpm
git-core-2.13.7-1.2.mga6.x86_64.rpm
git-core-oldies-2.13.7-1.2.mga6.x86_64.rpm
git-cvs-2.13.7-1.2.mga6.x86_64.rpm
git-email-2.13.7-1.2.mga6.x86_64.rpm
gitk-2.13.7-1.2.mga6.x86_64.rpm
git-prompt-2.13.7-1.2.mga6.x86_64.rpm
git-svn-2.13.7-1.2.mga6.x86_64.rpm
gitweb-2.13.7-1.2.mga6.x86_64.rpm
lib64git-devel-2.13.7-1.2.mga6.x86_64.rpm
perl-Git-2.13.7-1.2.mga6.x86_64.rpm
perl-Git-SVN-2.13.7-1.2.mga6.x86_64.rpm
David Walser 2018-10-06 15:35:39 CEST

Source RPM: git => git-2.13.7-1.mga6.src.rpm
Summary: Update request: git-2.13.7-1.2.mga6 => git new security issue CVE-2018-17456

Comment 1 Len Lawrence 2018-10-07 13:04:05 CEST
Mageia 6, x86_64

Before updating:
Checked for the presence of the packages listed.  Installed gitweb.
Consulted man pages for git and gittutorial and introduced myself to github.

$ git config --global user.name <user>
$ git config --global user.email <email>

Updated all the packages listed.
$ git --version
git version 2.13.7

Repeated the user introduction.  No objections raised.
$ git init
Initialized empty Git repository in /home/lcl/ruby/qa/.git/

That just happened to be where the terminal was sitting.  I have a large number of local utilities and projects but nothing in a form suitable for creating a project tarball (presumably there are standards to be observed) so cannot take this any further.  The man pages or --help do not say how to interrogate github or list existing projects.

Leaving this for others to test more fully.

CC: (none) => tarazed25

Comment 2 PC LX 2018-10-08 12:14:27 CEST
Installed and tested without issues.

Tests included local and remote repositories and the common operation (e.g. clone, commit, push, pull, diff, add, status, init).

System: Mageia 6, x86_64, Intel CPU.

The updated packages:
- git-2.13.7-1.2.mga6.x86_64
- git-arch-2.13.7-1.2.mga6.x86_64
- git-core-2.13.7-1.2.mga6.x86_64
- git-core-oldies-2.13.7-1.2.mga6.x86_64
- git-cvs-2.13.7-1.2.mga6.x86_64
- git-email-2.13.7-1.2.mga6.x86_64
- git-prompt-2.13.7-1.2.mga6.x86_64
- git-svn-2.13.7-1.2.mga6.x86_64
- gitk-2.13.7-1.2.mga6.x86_64
- perl-Git-2.13.7-1.2.mga6.x86_64
- perl-Git-SVN-2.13.7-1.2.mga6.x86_64

$ uname -a
Linux marte 4.14.70-desktop-2.mga6 #1 SMP Thu Sep 20 22:05:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep -i 'git.*2.13.7' | sort
git-2.13.7-1.2.mga6
git-arch-2.13.7-1.2.mga6
git-core-2.13.7-1.2.mga6
git-core-oldies-2.13.7-1.2.mga6
git-cvs-2.13.7-1.2.mga6
git-email-2.13.7-1.2.mga6
gitk-2.13.7-1.2.mga6
git-prompt-2.13.7-1.2.mga6
git-svn-2.13.7-1.2.mga6
perl-Git-2.13.7-1.2.mga6
perl-Git-SVN-2.13.7-1.2.mga6

CC: (none) => mageia
Whiteboard: (none) => MGA6-64-OK

Comment 3 Len Lawrence 2018-10-08 18:59:13 CEST
This can be validated on the basis of the tests by PC_LX.  Thanks.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 David Walser 2018-10-10 00:26:16 CEST
Debian has issued an advisory for this on October 5:
https://www.debian.org/security/2018/dsa-4311

CC: (none) => luigiwalser

Thomas Backlund 2018-10-14 01:49:05 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-10-14 02:59:42 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0395.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.