Bug 9255 - git new security issue CVE-2013-0308
: git new security issue CVE-2013-0308
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/541060/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-04 23:00 CET by David Walser
Modified: 2013-03-16 01:41 CET (History)
2 users (show)

See Also:
Source RPM: git-1.7.10-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-03-04 23:00:24 CET
OpenSuSE has issued an advisory on March 1:
http://lists.opensuse.org/opensuse-updates/2013-03/msg00005.html

Cauldron is not affected, as it's fixed upstream in 1.8.1.4.

Patched package uploaded for Mageia 2.

Patches added in Mageia 1 SVN.

Advisory:
========================

Updated git packages fix security vulnerability:

It was discovered that Git's git-imap-send command, a tool to send a
collection of patches from standard input (stdin) to an IMAP folder, did
not properly perform SSL X.509 v3 certificate validation on the IMAP
server's certificate, as it did not ensure that the server's hostname
matched the one provided in the CN field of the server's certificate. A
rogue server could use this flaw to conduct man-in-the-middle attacks,
possibly leading to the disclosure of sensitive information
(CVE-2013-0308).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0308
https://rhn.redhat.com/errata/RHSA-2013-0589.html
========================

Updated packages in core/updates_testing:
========================
git-1.7.10-1.1.mga2
git-core-1.7.10-1.1.mga2
gitk-1.7.10-1.1.mga2
gitview-1.7.10-1.1.mga2
libgit-devel-1.7.10-1.1.mga2
git-svn-1.7.10-1.1.mga2
git-cvs-1.7.10-1.1.mga2
git-arch-1.7.10-1.1.mga2
git-email-1.7.10-1.1.mga2
perl-Git-1.7.10-1.1.mga2
python-git-1.7.10-1.1.mga2
git-core-oldies-1.7.10-1.1.mga2
gitweb-1.7.10-1.1.mga2
git-prompt-1.7.10-1.1.mga2

from git-1.7.10-1.1.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-03-08 14:41:55 CET
git-imap-send man page gives useful information for testing.
Online here: https://www.kernel.org/pub/software/scm/git/docs/git-imap-send.html
Comment 2 claire robinson 2013-03-08 15:22:49 CET
man gittutorial is helpful for general git.
https://www.kernel.org/pub/software/scm/git/docs/gittutorial.html

Before
------
$ mkdir git-test
$ cd git-test
$ echo "This is QA test number" > qatest.txt
$ git init
Initialized empty Git repository in /home/claire/git-test/.git/
$ git add .
$ git commit

<opens vi text editor, press i to enter insert mode and type the commit message, then press escape and :x to save it>

[master (root-commit) 0987a79] First Commit
 1 file changed, 1 insertion(+)
 create mode 100644 qatest.txt

$ echo "one" >> qatest.txt
$ git add qatest.txt
$ git diff --cached

diff --git a/qatest.txt b/qatest.txt
index 5c4bf19..b21084e 100644
--- a/qatest.txt
+++ b/qatest.txt
@@ -1 +1,2 @@
 This is QA test number
+one

<Press q to quit>

$ git commit
[master d127413] Second commit
 1 file changed, 1 insertion(+)

$ git format-patch --cover-letter -M --stdout --root d127413 | git imap-send
Resolving imap.gmail.com... ok
Connecting to [173.194.78.109]:993... ok
Logging in...
sending 3 messages
 100% (3/3) done

Enter email password when it asks for SSH password.

Found the 3 messages in [Google Mail]/Drafts folder using thunderbird.

After
-----
$ echo "two" >> qatest.txt
$ git add qatest.txt
$ git commit
[master cb14306] third and final commit
 1 file changed, 1 insertion(+)

$ git format-patch --cover-letter -M --stdout --root cb14306 | git imap-send
Resolving imap.gmail.com... ok
Connecting to [173.194.66.108]:993... ok
Logging in...
sending 4 messages
 100% (4/4) done

Found the new messages with thunderbird.

Testing complete mga2 64
Comment 3 claire robinson 2013-03-08 15:24:19 CET
To tidy up..

$ cd ..
$ rm -rf git-test
Comment 4 claire robinson 2013-03-10 19:43:54 CET
Testing complete mga2 32

Validating

Advisory & srpm in comment 0

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 5 D Morgan 2013-03-16 01:41:27 CET
update pushed : 

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0091

Note You need to log in before you can comment on or make changes to this bug.