Univention Bugzilla – Bug 47287
git: Multiple issues (4.3)
Last modified: 2018-07-04 14:54:00 CEST
New Debian git 1:2.11.0-3+deb9u3 fixes: This update addresses the following issue(s): * This update addresses the following issue(s): * CVE_2017-15298 is open * In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. (CVE-2018-11233) * In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. (CVE-2018-11235) CVE_2018-1000021 is open 1:2.11.0-3+deb9u3 (Sun, 27 May 2018 10:48:46 -0700) * Fix CVE-2018-11235, arbitrary code execution via submodule names in .gitmodules file: - submodule: verify submodule names as paths - fsck: simplify ".git" check - fsck: fsck blob data - fsck: detect .gitmodules files - fsck: check .gitmodules content - fsck: call fsck_finish after fscking objects - unpack-objects: call fsck_finish after fscking objects - index-pack: check .gitmodules files with --strict * Fix CVE-2018-11233, out-of-bounds read when validing NTFS paths: - is_ntfs_dotgit: use a size_t for traversing string * Do not allow .gitmodules to be a symlink: - is_hfs_dotgit: match other .git* files - is_ntfs_dotgit: match other .git* files - is_{hfs,ntfs}_dotgitmodules: add tests - skip_prefix: add case-insensitive variant - verify_path: drop clever fallthrough - verify_dotfile: mention case-insensitivity in comment - update-index: stat updated files earlier - verify_path: disallow .gitmodules symlinks - fsck: complain when .gitmodules is a symlink * debian/rules: make the new test executable. Thanks to Brandon Williams, Etienne Stalmans, and Jeff King for discovering and reporting these vulnerabilities and to Jeff King and Johannes Schindelin for fixing them. * CVE-2018-11233 git: path sanity-checks on NTFS can read arbitrary memory (CVE-2018-11233) * CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository (CVE-2018-11235)
[4.3-1] 4ebeb1f68f Bug #47287: git 1:2.11.0-3+deb9u3 doc/errata/staging/git.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) <http://10.200.17.11/4.3-1/#748036788759095233>
<http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/ErrataValidation/233/console> OK: Jenkins <http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/AutotestJoin/lastCompletedBuild/testReport/>
<http://errata.software-univention.de/ucs/4.3/130.html>