28566 – git new security issue CVE-2021-21300

Bug 28566 - git new security issue CVE-2021-21300

Summary: git new security issue CVE-2021-21300

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7TOO, MGA8-64-OK, MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-03-09 20:07 CET by David Walser
Modified:	2021-05-28 20:20 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	git-2.30.1-1.mga8.src.rpm
CVE:	CVE-2021-21300
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-03-09 20:07:22 CET

Upstream has announced a security issue in git today (March 9):
https://lkml.org/lkml/2021/3/9/995

The issue is fixed upstream in 2.21.4 and 2.30.2.

Mageia 7 and Mageia 8 are also affected.

David Walser 2021-03-09 20:07:39 CET

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 2.21.4 and 2.30.2

Comment 1 Nicolas Lécureuil 2021-03-09 21:02:10 CET

Fixed in caudron mga 7/8


src:

CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2021-03-09 21:03:14 CET

Fixed in caudron mga 7/8


src:
     - git-2.21.4-1.mga7
     - git-2.30.2-1.mga8

Status comment: Fixed upstream in 2.21.4 and 2.30.2 => (none)
Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: bugsquad => qa-bugs

Comment 3 Lewis Smith 2021-03-09 21:06:02 CET

Quick work! It will need the advisory.

Comment 4 David Walser 2021-03-10 00:31:12 CET

Advisory:
========================

Updated git packages fix security vulnerability:

On case-insensitive file systems with support for symbolic links, if Git is
configured globally to apply delay-capable clean/smudge filters (such as Git
LFS), Git could be fooled into running remote code during a clone
(CVE-2021-21300).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300
https://lkml.org/lkml/2021/3/9/995
========================

Updated packages in core/updates_testing:
========================
git-2.21.4-1.mga7
git-core-2.21.4-1.mga7
gitk-2.21.4-1.mga7
libgit-devel-2.21.4-1.mga7
git-subtree-2.21.4-1.mga7
git-svn-2.21.4-1.mga7
git-cvs-2.21.4-1.mga7
git-arch-2.21.4-1.mga7
git-email-2.21.4-1.mga7
perl-Git-2.21.4-1.mga7
perl-Git-SVN-2.21.4-1.mga7
git-core-oldies-2.21.4-1.mga7
gitweb-2.21.4-1.mga7
git-prompt-2.21.4-1.mga7
git-2.30.2-1.mga8
git-core-oldies-2.30.2-1.mga8
git-core-2.30.2-1.mga8
libgit-devel-2.30.2-1.mga8
gitk-2.30.2-1.mga8
gitweb-2.30.2-1.mga8
git-cvs-2.30.2-1.mga8
git-subtree-2.30.2-1.mga8
perl-Git-SVN-2.30.2-1.mga8
git-svn-2.30.2-1.mga8
git-email-2.30.2-1.mga8
perl-Git-2.30.2-1.mga8
git-arch-2.30.2-1.mga8
git-prompt-2.30.2-1.mga8

from SRPMS:
git-2.21.4-1.mga7.src.rpm
git-2.30.2-1.mga8.src.rpm

Thomas Backlund 2021-03-12 01:31:00 CET

Whiteboard: MGA7TOO => MGA7TOO, MGA8-64-OK

Comment 5 Thomas Backlund 2021-03-12 19:59:33 CET

running mga7 x86_64 packages on Mageia infra with no issues so far...

Whiteboard: MGA7TOO, MGA8-64-OK => MGA7TOO, MGA8-64-OK, MGA7-64-OK

Comment 6 Thomas Andrews 2021-03-13 13:04:25 CET

Good enough for me. Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Aurelien Oudelet 2021-03-14 16:55:23 CET

Same for me on Mageia 8 x86_64.

Advisory committed to SVN.

CC: (none) => ouaurelien
CVE: (none) => CVE-2021-21300
Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-03-14 22:22:31 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0137.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 9 David Walser 2021-05-28 20:20:04 CEST

Ubuntu has issued an advisory for this on March 9:
https://ubuntu.com/security/notices/USN-4761-1

Note You need to log in before you can comment on or make changes to this bug.