Upstream has announced a security issue fixed in git today (April 12): https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ The issue is fixed upstream in 2.30.3 and 2.35.2. Mageia 8 is also affected. Updated packages uploaded for Mageia 8 and Cauldron. Advisory: ======================== Updated git packages fix security vulnerability: On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when another user created a repository in /tmp, in a mounted network drive or in a scratch space. Merely having a Git-aware prompt that runs 'git status' (or 'git diff') and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user (CVE-2022-24765). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765 https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ ======================== Updated packages in core/updates_testing: ======================== git-2.30.3-1.mga8 git-core-oldies-2.30.3-1.mga8 git-prompt-2.30.3-1.mga8 git-arch-2.30.3-1.mga8 perl-Git-2.30.3-1.mga8 git-email-2.30.3-1.mga8 git-svn-2.30.3-1.mga8 perl-Git-SVN-2.30.3-1.mga8 git-cvs-2.30.3-1.mga8 gitweb-2.30.3-1.mga8 gitk-2.30.3-1.mga8 git-subtree-2.30.3-1.mga8 libgit-devel-2.30.3-1.mga8 git-core-2.30.3-1.mga8 from git-2.30.3-1.mga8.src.rpm
Ubuntu has issued an advisory for this today (April 12): https://ubuntu.com/security/notices/USN-5376-1
MGA8-64 Plasma on Lenovo B50 in Dutch. No installation issues. Ref bug 26516 Comment 1 for testing. $ git init hint: a few of those Initialized empty Git repository in /home/tester8/.git/ [tester8@mach5 ~ (master)]$ git config --global user.name "tester8" [tester8@mach5 ~ (master)]$ git config --global user.email "herman.viaene@hotmail.be" [tester8@mach5 ~ (master)]$ git add ~/Documenten/fribidi.txt [tester8@mach5 ~ (master)]$ git branch [tester8@mach5 ~ (master)]$ git show fatal: your current branch 'master' does not have any commits yet [tester8@mach5 ~ (master)]$ git commit Aborting commit due to empty commit message. this seems different from previous versions, but seems logical. [tester8@mach5 ~ (master)]$ git commit -m"message" [master (root-commit) c56ff46] message 1 file changed, 147490 insertions(+) create mode 100644 Documenten/fribidi.txt [tester8@mach5 ~ (master)]$ git show commit c56ff46718d7d2bc7f772e190a7aff1648871e12 (HEAD -> master) Author: tester8 <herman.viaene@hotmail.be> Date: Wed Apr 13 11:11:30 2022 +0200 message diff --git a/Documenten/fribidi.txt b/Documenten/fribidi.txt new file mode 100644 index 0000000..29a0692 --- /dev/null +++ b/Documenten/fribidi.txt and then the contents of the file. This all seems inline with the older test, but whether this is sufficient, I don't know since I'm absolutely not familiar with git.
CC: (none) => herman.viaene
Installed and tested without issues. Tested with existing, cloned and new repositories. Integration with QtCreate, Netbeans and KDevelop IDE were tested. Bunch of CLI commands were tested. No issues found. System: Mageia 8, x86_64, Intel CPU. $ uname -a Linux marte 5.15.32-desktop-1.mga8 #1 SMP Mon Mar 28 08:31:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -i git.*2\.30 | sort git-2.30.3-1.mga8 git-core-2.30.3-1.mga8 git-email-2.30.3-1.mga8 gitk-2.30.3-1.mga8 git-subtree-2.30.3-1.mga8 perl-Git-2.30.3-1.mga8
CC: (none) => mageia
Sounds like enough to me. Validating. Advisory in Comment 0.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
An improvement was made to the fix for this issue: https://lore.kernel.org/git/xmqq1qy04iqa.fsf@gitster.g/T/#u Update to 2.30.4 building...please test again. git-2.30.4-1.mga8 git-core-oldies-2.30.4-1.mga8 git-prompt-2.30.4-1.mga8 git-arch-2.30.4-1.mga8 perl-Git-2.30.4-1.mga8 git-email-2.30.4-1.mga8 git-svn-2.30.4-1.mga8 perl-Git-SVN-2.30.4-1.mga8 git-cvs-2.30.4-1.mga8 gitweb-2.30.4-1.mga8 gitk-2.30.4-1.mga8 git-subtree-2.30.4-1.mga8 libgit-devel-2.30.4-1.mga8 git-core-2.30.4-1.mga8 from git-2.30.4-1.mga8.src.rpm
Keywords: validated_update => (none)Whiteboard: MGA8-64-OK => (none)
Update installs cleanly. [dave@x3 copyiso2usb (master)]$ git pull --rebase Already up to date. Validating the update. Advisory committed to svn.
CC: (none) => davidwhodginsKeywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA8-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0147.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED