Univention Bugzilla – Full Text Bug Listing |
Summary: | git: Multiple issues (4.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Quality Assurance <qa> |
Component: | Security updates | Assignee: | Quality Assurance <qa> |
Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
Severity: | normal | ||
Priority: | P3 | ||
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.2-4-errata | ||
Hardware: | All | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) |
Description
Quality Assurance
2018-08-09 10:20:00 CEST
--- mirror/ftp/4.2/unmaintained/4.2-4/source/git_2.1.4-2.1+deb8u5.dsc +++ apt/ucs_4.2-0-errata4.2-4/source/git_2.1.4-2.1+deb8u6.dsc @@ -1,3 +1,44 @@ +1:2.1.4-2.1+deb8u6 [Mon, 28 May 2018 16:30:30 -0700] Jonathan Nieder <jrnieder@gmail.com>: + + * Fix CVE-2018-11235, arbitrary code execution via submodule names + in .gitmodules file: + - submodule: verify submodule names as paths + - fsck: drop inode-sorting code + - fsck: simplify ".git" check + - fsck: fsck blob data + - fsck: detect gitmodules files + - fsck: check .gitmodules content + - fsck: call fsck_finish after fscking objects + - unpack-objects: call fsck_finish after fscking objects + - index-pack: check .gitmodules files with --strict + * Fix CVE-2018-11233, out-of-bounds read when validating NTFS paths: + - is_ntfs_dotgit: use a size_t for traversing string + * Do not allow .gitmodules to be a symlink: + - is_hfs_dotgit: loosen over-eager match of \u{..47} + - is_hfs_dotgit: match other .git* files + - is_ntfs_dotgit: match other .git* files + - is_{hfs,ntfs}_dotgitmodules: add tests + - skip_prefix: add case-insensitive variant + - verify_path: drop clever fallthrough + - verify_dotfile: mention case-insensitivity in comment + - update-index: stat updated files earlier + - verify_path: disallow .gitmodules symlinks + - fsck: complain when .gitmodules is a symlink + + Thanks to Brandon Williams, Etienne Stalmans, and Jeff King for + discovering and reporting these vulnerabilities and to Jeff King and + Johannes Schindelin for fixing them. + + * Prevent "git apply" without --index from escaping the current + directory (compare GNU patch's CVE-2015-1196): + - apply: reject input that touches outside the working area + - apply: do not read from the filesystem under --index + - apply: do not read from beyond a symbolic link + - apply: do not touch a file beyond a symbolic link + + Thanks to Josh Boyer for reporting this vulnerability and Junio C + Hamano for fixing it. + 1:2.1.4-2.1+deb8u5 [Mon, 25 Sep 2017 12:12:03 -0700] Jonathan Nieder <jrnieder@gmail.com>: * Fix remote shell command execution via CVS protocol: <http://10.200.17.11/4.2-4/#8728832221640217447> OK: yaml OK: errata-announce OK: patch OK: piuparts [4.2-4] d5716e5d99 Bug #47547: git 1:2.1.4-2.1+deb8u6 doc/errata/staging/git.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) [4.2-4] 5d1d23c97f Bug #47547: git 1:2.1.4-2.1+deb8u6 doc/errata/staging/git.yaml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) [4.2-4] 1c8306240d Bug #47547: git 1:2.1.4-2.1+deb8u6 doc/errata/staging/git.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) |