Advisory: joernchen of Phenoelit discovered that git is prone to an arbitrary code execution vulnerability due to insufficient validation of submodule url and path via a specially crafted .gitmodules file in a project cloned with --recurse-submodules (CVE-2018-17456). SRPM: git-2.13.7-1.2.mga6.src.rpm i586: git-2.13.7-1.2.mga6.i586.rpm git-arch-2.13.7-1.2.mga6.i586.rpm git-core-2.13.7-1.2.mga6.i586.rpm git-core-oldies-2.13.7-1.2.mga6.i586.rpm git-cvs-2.13.7-1.2.mga6.i586.rpm git-email-2.13.7-1.2.mga6.i586.rpm gitk-2.13.7-1.2.mga6.i586.rpm git-prompt-2.13.7-1.2.mga6.i586.rpm git-svn-2.13.7-1.2.mga6.i586.rpm gitweb-2.13.7-1.2.mga6.i586.rpm libgit-devel-2.13.7-1.2.mga6.i586.rpm perl-Git-2.13.7-1.2.mga6.i586.rpm perl-Git-SVN-2.13.7-1.2.mga6.i586.rpm x86_64: git-2.13.7-1.2.mga6.x86_64.rpm git-arch-2.13.7-1.2.mga6.x86_64.rpm git-core-2.13.7-1.2.mga6.x86_64.rpm git-core-oldies-2.13.7-1.2.mga6.x86_64.rpm git-cvs-2.13.7-1.2.mga6.x86_64.rpm git-email-2.13.7-1.2.mga6.x86_64.rpm gitk-2.13.7-1.2.mga6.x86_64.rpm git-prompt-2.13.7-1.2.mga6.x86_64.rpm git-svn-2.13.7-1.2.mga6.x86_64.rpm gitweb-2.13.7-1.2.mga6.x86_64.rpm lib64git-devel-2.13.7-1.2.mga6.x86_64.rpm perl-Git-2.13.7-1.2.mga6.x86_64.rpm perl-Git-SVN-2.13.7-1.2.mga6.x86_64.rpm
Summary: Update request: git-2.13.7-1.2.mga6 => git new security issue CVE-2018-17456Source RPM: git => git-2.13.7-1.mga6.src.rpm
Mageia 6, x86_64 Before updating: Checked for the presence of the packages listed. Installed gitweb. Consulted man pages for git and gittutorial and introduced myself to github. $ git config --global user.name <user> $ git config --global user.email <email> Updated all the packages listed. $ git --version git version 2.13.7 Repeated the user introduction. No objections raised. $ git init Initialized empty Git repository in /home/lcl/ruby/qa/.git/ That just happened to be where the terminal was sitting. I have a large number of local utilities and projects but nothing in a form suitable for creating a project tarball (presumably there are standards to be observed) so cannot take this any further. The man pages or --help do not say how to interrogate github or list existing projects. Leaving this for others to test more fully.
CC: (none) => tarazed25
Installed and tested without issues. Tests included local and remote repositories and the common operation (e.g. clone, commit, push, pull, diff, add, status, init). System: Mageia 6, x86_64, Intel CPU. The updated packages: - git-2.13.7-1.2.mga6.x86_64 - git-arch-2.13.7-1.2.mga6.x86_64 - git-core-2.13.7-1.2.mga6.x86_64 - git-core-oldies-2.13.7-1.2.mga6.x86_64 - git-cvs-2.13.7-1.2.mga6.x86_64 - git-email-2.13.7-1.2.mga6.x86_64 - git-prompt-2.13.7-1.2.mga6.x86_64 - git-svn-2.13.7-1.2.mga6.x86_64 - gitk-2.13.7-1.2.mga6.x86_64 - perl-Git-2.13.7-1.2.mga6.x86_64 - perl-Git-SVN-2.13.7-1.2.mga6.x86_64 $ uname -a Linux marte 4.14.70-desktop-2.mga6 #1 SMP Thu Sep 20 22:05:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | egrep -i 'git.*2.13.7' | sort git-2.13.7-1.2.mga6 git-arch-2.13.7-1.2.mga6 git-core-2.13.7-1.2.mga6 git-core-oldies-2.13.7-1.2.mga6 git-cvs-2.13.7-1.2.mga6 git-email-2.13.7-1.2.mga6 gitk-2.13.7-1.2.mga6 git-prompt-2.13.7-1.2.mga6 git-svn-2.13.7-1.2.mga6 perl-Git-2.13.7-1.2.mga6 perl-Git-SVN-2.13.7-1.2.mga6
CC: (none) => mageiaWhiteboard: (none) => MGA6-64-OK
This can be validated on the basis of the tests by PC_LX. Thanks.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Debian has issued an advisory for this on October 5: https://www.debian.org/security/2018/dsa-4311
CC: (none) => luigiwalser
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0395.html
Status: NEW => RESOLVEDResolution: (none) => FIXED