30277 – git new security issue CVE-2022-24765

Bug 30277 - git new security issue CVE-2022-24765

Summary: git new security issue CVE-2022-24765

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-04-12 22:40 CEST by David Walser
Modified:	2022-04-22 19:08 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	git-2.30.2-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-04-12 22:40:53 CEST

Upstream has announced a security issue fixed in git today (April 12):
https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/

The issue is fixed upstream in 2.30.3 and 2.35.2.

Mageia 8 is also affected.

Updated packages uploaded for Mageia 8 and Cauldron.

Advisory:
========================

Updated git packages fix security vulnerability:

On multi-user machines, Git users might find themselves unexpectedly in a Git
worktree, e.g. when another user created a repository in /tmp, in a mounted
network drive or in a scratch space. Merely having a Git-aware prompt that
runs 'git status' (or 'git diff') and navigating to a directory which is
supposedly not a Git worktree, or opening such a directory in an editor or IDE
such as VS Code or Atom, will potentially run commands defined by that other
user (CVE-2022-24765).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765
https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/
========================

Updated packages in core/updates_testing:
========================
git-2.30.3-1.mga8
git-core-oldies-2.30.3-1.mga8
git-prompt-2.30.3-1.mga8
git-arch-2.30.3-1.mga8
perl-Git-2.30.3-1.mga8
git-email-2.30.3-1.mga8
git-svn-2.30.3-1.mga8
perl-Git-SVN-2.30.3-1.mga8
git-cvs-2.30.3-1.mga8
gitweb-2.30.3-1.mga8
gitk-2.30.3-1.mga8
git-subtree-2.30.3-1.mga8
libgit-devel-2.30.3-1.mga8
git-core-2.30.3-1.mga8

from git-2.30.3-1.mga8.src.rpm

Comment 1 David Walser 2022-04-12 22:53:02 CEST

Ubuntu has issued an advisory for this today (April 12):
https://ubuntu.com/security/notices/USN-5376-1

Comment 2 Herman Viaene 2022-04-13 11:34:40 CEST

MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues.
Ref bug 26516 Comment 1 for testing.
$ git init
hint: a few of those
Initialized empty Git repository in /home/tester8/.git/
[tester8@mach5 ~ (master)]$ git config --global user.name "tester8"
[tester8@mach5 ~ (master)]$ git config --global user.email "herman.viaene@hotmail.be"
[tester8@mach5 ~ (master)]$ git add ~/Documenten/fribidi.txt 

[tester8@mach5 ~ (master)]$ git branch
[tester8@mach5 ~ (master)]$ git show
fatal: your current branch 'master' does not have any commits yet
[tester8@mach5 ~ (master)]$ git commit
Aborting commit due to empty commit message.
this seems different from previous versions, but seems logical.
[tester8@mach5 ~ (master)]$ git commit -m"message"
[master (root-commit) c56ff46] message
 1 file changed, 147490 insertions(+)
 create mode 100644 Documenten/fribidi.txt
[tester8@mach5 ~ (master)]$ git show
commit c56ff46718d7d2bc7f772e190a7aff1648871e12 (HEAD -> master)
Author: tester8 <herman.viaene@hotmail.be>
Date:   Wed Apr 13 11:11:30 2022 +0200

    message

diff --git a/Documenten/fribidi.txt b/Documenten/fribidi.txt
new file mode 100644
index 0000000..29a0692
--- /dev/null
+++ b/Documenten/fribidi.txt
and then the contents of the file.

This all seems inline with the older test, but whether this is sufficient, I don't know since I'm absolutely not familiar with git.

CC: (none) => herman.viaene

Comment 3 PC LX 2022-04-14 12:12:38 CEST

Installed and tested without issues.

Tested with existing, cloned and new repositories. Integration with QtCreate, Netbeans and KDevelop IDE were tested. Bunch of CLI commands were tested.

No issues found.


System: Mageia 8, x86_64, Intel CPU.


$ uname -a
Linux marte 5.15.32-desktop-1.mga8 #1 SMP Mon Mar 28 08:31:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep -i git.*2\.30 | sort
git-2.30.3-1.mga8
git-core-2.30.3-1.mga8
git-email-2.30.3-1.mga8
gitk-2.30.3-1.mga8
git-subtree-2.30.3-1.mga8
perl-Git-2.30.3-1.mga8

CC: (none) => mageia

Comment 4 Thomas Andrews 2022-04-14 14:34:34 CEST

Sounds like enough to me. Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Comment 5 David Walser 2022-04-15 20:23:59 CEST

An improvement was made to the fix for this issue:
https://lore.kernel.org/git/xmqq1qy04iqa.fsf@gitster.g/T/#u

Update to 2.30.4 building...please test again.

git-2.30.4-1.mga8
git-core-oldies-2.30.4-1.mga8
git-prompt-2.30.4-1.mga8
git-arch-2.30.4-1.mga8
perl-Git-2.30.4-1.mga8
git-email-2.30.4-1.mga8
git-svn-2.30.4-1.mga8
perl-Git-SVN-2.30.4-1.mga8
git-cvs-2.30.4-1.mga8
gitweb-2.30.4-1.mga8
gitk-2.30.4-1.mga8
git-subtree-2.30.4-1.mga8
libgit-devel-2.30.4-1.mga8
git-core-2.30.4-1.mga8

from git-2.30.4-1.mga8.src.rpm

Keywords: validated_update => (none)
Whiteboard: MGA8-64-OK => (none)

Comment 6 Dave Hodgins 2022-04-20 03:35:25 CEST

Update installs cleanly.
[dave@x3 copyiso2usb (master)]$ git pull --rebase
Already up to date.

Validating the update. Advisory committed to svn.

CC: (none) => davidwhodgins
Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA8-64-OK

Comment 7 Mageia Robot 2022-04-22 19:08:26 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0147.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.