Debian-LTS has issued an advisory on January 31: https://www.debian.org/lts/security/2023/dla-3303 The issues are fixed upstream in 1.13.0. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.13.0Whiteboard: (none) => MGA8TOO
Fedora has issued an advisory for this on January 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4KPFLSZPUM7APWVBRM5DCAY5OUVQBF4K/
Severity: normal => major
Assigning to all packagers collectively, because there is no registered maintainer for this packages. CC'ing pterjan, who was the last one to push it.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11, pterjan
Suggested advisory: ======================== The updated packages fix security vulnerabilities: ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. (CVE-2022-46648, CVE-2022-47318) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46648 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47318 https://www.debian.org/lts/security/2023/dla-3303 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4KPFLSZPUM7APWVBRM5DCAY5OUVQBF4K/ ======================== Updated packages in core/updates_testing: ======================== ruby-git-1.6.0-1.2.mga8 ruby-git-doc-1.6.0-1.2.mga8 from SRPM: ruby-git-1.6.0-1.2.mga8.src.rpm
Status comment: Fixed upstream in 1.13.0 => (none)Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsSource RPM: ruby-git-1.12.0-1.mga9.src.rpm => ruby-git-1.6.0-1.1.mga8.src.rpmVersion: Cauldron => 8Status: NEW => ASSIGNED
mageia8, x86_64 Ruby git was already installed. Had a look at the CVEs but could not figure out how to reproduce the vulnerability and lacking any familiarity with GitHub or git had to make do with a single call to Gif.init to create a local repository in an empty directory. $ ruby -W0 -rgit -e "Git.init" That worked. Emptied the directory afterwards and updated the packages. Running the same command produced the same result. It created a new folder .git in the current directory with contents: .git ├── branches ├── config ├── description ├── HEAD ├── hooks │ ├── applypatch-msg.sample │ ├── commit-msg.sample │ ├── fsmonitor-watchman.sample │ ├── post-update.sample │ ├── pre-applypatch.sample │ ├── pre-commit.sample │ ├── pre-merge-commit.sample │ ├── prepare-commit-msg.sample │ ├── pre-push.sample │ ├── pre-rebase.sample │ ├── pre-receive.sample │ ├── push-to-checkout.sample │ └── update.sample ├── info │ └── exclude ├── objects │ ├── info │ └── pack └── refs ├── heads └── tags 9 directories, 17 files Giving this an OK for 64-bits but feel free to extend the test if you have some knowledge of git.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Advisory in comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0097.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED