Bug 47287 - git: Multiple issues (4.3)
git: Multiple issues (4.3)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-1-errata
Assigned To: Quality Assurance
Philipp Hahn
Depends on:
  Show dependency treegraph
Reported: 2018-07-03 14:13 CEST by Philipp Hahn
Modified: 2018-07-04 14:54 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-07-03 14:13:19 CEST
New Debian git 1:2.11.0-3+deb9u3 fixes:
This update addresses the following issue(s):

This update addresses the following issue(s):
CVE_2017-15298 is open
* In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. (CVE-2018-11233)
* In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. (CVE-2018-11235)
CVE_2018-1000021 is open

1:2.11.0-3+deb9u3 (Sun, 27 May 2018 10:48:46 -0700)
  * Fix CVE-2018-11235, arbitrary code execution via submodule names
    in .gitmodules file:
    - submodule: verify submodule names as paths
    - fsck: simplify ".git" check
    - fsck: fsck blob data
    - fsck: detect .gitmodules files
    - fsck: check .gitmodules content
    - fsck: call fsck_finish after fscking objects
    - unpack-objects: call fsck_finish after fscking objects
    - index-pack: check .gitmodules files with --strict
  * Fix CVE-2018-11233, out-of-bounds read when validing NTFS paths:
    - is_ntfs_dotgit: use a size_t for traversing string
  * Do not allow .gitmodules to be a symlink:
    - is_hfs_dotgit: match other .git* files
    - is_ntfs_dotgit: match other .git* files
    - is_{hfs,ntfs}_dotgitmodules: add tests
    - skip_prefix: add case-insensitive variant
    - verify_path: drop clever fallthrough
    - verify_dotfile: mention case-insensitivity in comment
    - update-index: stat updated files earlier
    - verify_path: disallow .gitmodules symlinks
    - fsck: complain when .gitmodules is a symlink
  * debian/rules: make the new test executable.
  Thanks to Brandon Williams, Etienne Stalmans, and Jeff King for
  discovering and reporting these vulnerabilities and to Jeff King
  and Johannes Schindelin for fixing them.
* CVE-2018-11233 git: path sanity-checks on NTFS can read arbitrary memory (CVE-2018-11233)
* CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository (CVE-2018-11235)
Comment 1 Philipp Hahn univentionstaff 2018-07-03 16:36:40 CEST
[4.3-1] 4ebeb1f68f Bug #47287: git 1:2.11.0-3+deb9u3
 doc/errata/staging/git.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

Comment 3 Arvid Requate univentionstaff 2018-07-04 14:54:00 CEST