This is a security release fixing the following issues: - A carefully constructed commit object with a very large number of parents may lead to potential out-of-bounds writes or potential denial of service. - The ProgramData configuration file is always read for compatibility with Git for Windows and Portable Git installations. The ProgramData location is not necessarily writable only by administrators, so we now ensure that the configuration file is owned by the administrator or the current user.
Source RPM: (none) => libgit2-0.28.1-1.mga7.src.rpmWhiteboard: (none) => MGA7TOO
Here's the missing reference: https://github.com/libgit2/libgit2/releases/tag/v0.28.3 Mageia 6 is still missing an update for this package also in Bug 22813.
Several CVE's fixed in version 0.28.4 and 0.27.10. https://github.com/libgit2/libgit2/releases/tag/v0.28.4
Severity: normal => criticalPriority: Normal => High
Version 0.28.4 pushed to Cauldron.
Advisory ======== libgit2 has been updated to version 0.28.4 to fix several security issues. * CVE-2019-1348: the fast-import stream command "feature export-marks=path" allows writing to arbitrary file paths. As libgit2 does not offer any interface for fast-import, it is not susceptible to this vulnerability. * CVE-2019-1349: by using NTFS 8.3 short names, backslashes or alternate filesystreams, it is possible to cause submodules to be written into pre-existing directories during a recursive clone using git. As libgit2 rejects cloning into non-empty directories by default, it is not susceptible to this vulnerability. * CVE-2019-1350: recursive clones may lead to arbitrary remote code executing due to improper quoting of command line arguments. As libgit2 uses libssh2, which does not require us to perform command line parsing, it is not susceptible to this vulnerability. * CVE-2019-1351: Windows provides the ability to substitute drive letters with arbitrary letters, including multi-byte Unicode letters. To fix any potential issues arising from interpreting such paths as relative paths, we have extended detection of DOS drive prefixes to accomodate for such cases. * CVE-2019-1352: by using NTFS-style alternative file streams for the ".git" directory, it is possible to overwrite parts of the repository. While this has been fixed in the past for Windows, the same vulnerability may also exist on other systems that write to NTFS filesystems. We now reject any paths starting with ".git:" on all systems. * CVE-2019-1353: by using NTFS-style 8.3 short names, it was possible to write to the ".git" directory and thus overwrite parts of the repository, leading to possible remote code execution. While this problem was already fixed in the past for Windows, other systems accessing NTFS filesystems are vulnerable to this issue too. We now enable NTFS protecions by default on all systems to fix this attack vector. * CVE-2019-1354: on Windows, backslashes are not a valid part of a filename but are instead interpreted as directory separators. As other platforms allowed to use such paths, it was possible to write such invalid entries into a Git repository and was thus an attack vector to write into the ".git" dierctory. We now reject any entries starting with ".git" on all systems. * CVE-2019-1387: it is possible to let a submodule's git directory point into a sibling's submodule directory, which may result in overwriting parts of the Git repository and thus lead to arbitrary command execution. As libgit2 doesn't provide any way to do submodule clones natively, it is not susceptible to this vulnerability. Users of libgit2 that have implemented recursive submodule clones manually are encouraged to review their implementation for this vulnerability. References ========== https://github.com/libgit2/libgit2/releases/tag/v0.28.4 Files ===== Uploaded to core/updates_testing lib64git2-devel-0.28.4-1.mga7 lib64git2_28-0.28.4-1.mga7 from lib64git2-0.28.4-1.mga7.src.rpm
Assignee: thierry.vignaud => qa-bugs
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Some of those CVEs are Windows only, and you're missing the CVEs from the previous missed update.
Advisory ======== libgit2 has been updated to version 0.28.4 to fix several security issues. * A carefully constructed commit object with a very large number of parents may lead to potential out-of-bounds writes or potential denial of service. * CVE-2019-1348: the fast-import stream command "feature export-marks=path" allows writing to arbitrary file paths. As libgit2 does not offer any interface for fast-import, it is not susceptible to this vulnerability. * CVE-2019-1350: recursive clones may lead to arbitrary remote code executing due to improper quoting of command line arguments. As libgit2 uses libssh2, which does not require us to perform command line parsing, it is not susceptible to this vulnerability. * CVE-2019-1387: it is possible to let a submodule's git directory point into a sibling's submodule directory, which may result in overwriting parts of the Git repository and thus lead to arbitrary command execution. As libgit2 doesn't provide any way to do submodule clones natively, it is not susceptible to this vulnerability. Users of libgit2 that have implemented recursive submodule clones manually are encouraged to review their implementation for this vulnerability. References ========== https://github.com/libgit2/libgit2/releases/tag/v0.28.3 https://github.com/libgit2/libgit2/releases/tag/v0.28.4 Files ===== Uploaded to core/updates_testing lib64git2-devel-0.28.4-1.mga7 lib64git2_28-0.28.4-1.mga7 from lib64git2-0.28.4-1.mga7.src.rpm
Installed and tested without issues. Tested using the basket application with the version sync enable. No regressions noticed. $ uname -a Linux marte 5.4.2-desktop-1.mga7 #1 SMP Thu Dec 5 17:40:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep git2_28 | sort lib64git2_28-0.28.4-1.mga7 $ urpmq --whatrequires lib64git2_28 basket calligra-gemini fritzing geany-plugins-git-changebar lib64basketcommon5 lib64git2-devel lib64git2-glib1.0_0 lib64git2_28 lib64kf5texteditor5 python2-pygit2 python3-pygit2 subsurface $ strace -o tmp/strace.log basket <SNIP> $ grep libgit2 tmp/strace.log openat(AT_FDCWD, "/lib64/libgit2.so.28", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libgit2.so.0.28.4", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib64/libgit2.so.0.28.4", O_RDONLY) = 11 $ grep '/basket/.git/' tmp/strace.log | wc -l 742
CC: (none) => mageiaWhiteboard: (none) => MGA7-64-OK
Validating. Corrected Advisory in Comment 6.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0391.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Fedora has issued an advisory for this on December 17: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5NL3V3X6CPW4BWZZELZS3XO6Z4QA2TJO/
This update also fixed CVE-2020-12278 and CVE-2020-12279 (fixed in 0.28.4): https://www.debian.org/lts/security/2022/dla-2936