Security issues fixed upstream in Git have been announced today (December 13): https://www.openwall.com/lists/oss-security/2019/12/13/1 The issues are fixed in 2.21.1. The other CVEs in the announcement only affect Windows.
Stig has just updated Cauldron to version 2.24.1. May I assign this to you? [Complain privately if not, I am not CC'd]
Assignee: bugsquad => smelror
Nicolas is working on it.
Assignee: smelror => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. (CVE-2019-1348) When submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice. We now require the directory to be empty. (CVE-2019-1349) Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. (CVE-2019-1387) Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. (CVE-2019-19604) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19604 https://www.openwall.com/lists/oss-security/2019/12/13/1 ======================== Updated packages in core/updates_testing: ======================== git-2.21.1-1.mga7 git-core-2.21.1-1.mga7 gitk-2.21.1-1.mga7 lib(64)git-devel-2.21.1-1.mga7 git-subtree-2.21.1-1.mga7 git-svn-2.21.1-1.mga7 git-cvs-2.21.1-1.mga7 git-arch-2.21.1-1.mga7 git-email-2.21.1-1.mga7 perl-Git-2.21.1-1.mga7 perl-Git-SVN-2.21.1-1.mga7 git-core-oldies-2.21.1-1.mga7 gitweb-2.21.1-1.mga7 git-prompt-2.21.1-1.mga7 from SRPMS: git-2.21.1-1.mga7.src.rpm
Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNEDCVE: (none) => CVE-2019-1348, CVE-2019-1349, CVE-2019-1387, CVE-2019-19604
Keywords: (none) => advisoryCC: (none) => tmb
Debian and Ubuntu have issued advisories for this on December 10: https://www.debian.org/security/2019/dsa-4581 https://usn.ubuntu.com/4220-1/
Severity: normal => major
Installed and tested without issues. Tested using existing, cloned and newly created repositories. Most operations were tested. No issues found. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.4.2-desktop-1.mga7 #1 SMP Thu Dec 5 17:40:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -i git.*2\.21\.1 | sort git-2.21.1-1.mga7 git-core-2.21.1-1.mga7 git-email-2.21.1-1.mga7 gitk-2.21.1-1.mga7 git-subtree-2.21.1-1.mga7 perl-Git-2.21.1-1.mga7
CC: (none) => mageiaWhiteboard: (none) => MGA7-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0393.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED