Debian-LTS has issued an advisory on January 31:
The issues are fixed upstream in 1.13.0.
Mageia 8 is also affected.
Fixed upstream in 1.13.0Whiteboard:
Fedora has issued an advisory for this on January 30:
Assigning to all packagers collectively, because there is no registered maintainer for this packages.
CC'ing pterjan, who was the last one to push it.
The updated packages fix security vulnerabilities:
ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. (CVE-2022-46648, CVE-2022-47318)
Updated packages in core/updates_testing:
Fixed upstream in 1.13.0 =>
Ruby git was already installed.
Had a look at the CVEs but could not figure out how to reproduce the vulnerability and lacking any familiarity with GitHub or git had to make do with a single call to Gif.init to create a local repository in an empty directory.
$ ruby -W0 -rgit -e "Git.init"
That worked. Emptied the directory afterwards and updated the packages.
Running the same command produced the same result.
It created a new folder .git in the current directory with contents:
│ ├── applypatch-msg.sample
│ ├── commit-msg.sample
│ ├── fsmonitor-watchman.sample
│ ├── post-update.sample
│ ├── pre-applypatch.sample
│ ├── pre-commit.sample
│ ├── pre-merge-commit.sample
│ ├── prepare-commit-msg.sample
│ ├── pre-push.sample
│ ├── pre-rebase.sample
│ ├── pre-receive.sample
│ ├── push-to-checkout.sample
│ └── update.sample
│ └── exclude
│ ├── info
│ └── pack
9 directories, 17 files
Giving this an OK for 64-bits but feel free to extend the test if you have some knowledge of git.
Validating. Advisory in comment 3.
An update for this issue has been pushed to the Mageia Updates repository.