Bug 51170

Summary: git: Multiple issues (4.4)
Product: UCS Reporter: Quality Assurance <qa>
Component: Security updatesAssignee: Quality Assurance <qa>
Status: CLOSED FIXED QA Contact: Erik Damrose <damrose>
Severity: normal    
Priority: P3    
Version: UCS 4.4   
Target Milestone: UCS 4.4-4-errata   
Hardware: All   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Description Quality Assurance univentionstaff 2020-04-27 09:00:29 CEST 
New Debian git 1:2.11.0-3+deb9u7 fixes:
This update addresses the following issue:
* Crafted URL containing new lines, empty host or lacks a scheme can cause  credential leak (CVE-2020-11008)
Comment 1 Quality Assurance univentionstaff 2020-04-27 10:00:38 CEST 
--- mirror/ftp/4.4/unmaintained/component/4.4-4-errata/source/git_2.11.0-3+deb9u6.dsc
+++ apt/ucs_4.4-0-errata4.4-4/source/git_2.11.0-3+deb9u7.dsc
@@ -1,3 +1,30 @@
+1:2.11.0-3+deb9u7 [Sun, 19 Apr 2020 19:07:44 -0700] Jonathan Nieder <jrnieder@gmail.com>:
+
+  * Apply patches from 2.20.4 to address the security issue
+    CVE-2020-11008.
+
+    With a crafted URL that contains a newline or empty host, or
+    lacks a scheme, the credential helper machinery can be fooled
+    into providing credential information that is not appropriate
+    for the protocol in use and host being contacted.
+
+    Unlike the vulnerability fixed in 1:2.11.0-3+deb9u6, the
+    credentials are not for a host of the attacker's choosing.
+    Instead, they are for an unspecified host, based on how the
+    configured credential helper handles an absent "host"
+    parameter.
+
+    The attack has been made impossible by refusing to work with
+    underspecified credential patterns.
+
+    Thanks to Carlo Arenas for reporting that Git was still
+    vulnerable, Felix Wilhelm for providing the proof of concept
+    demonstrating this issue, and Jeff King for promptly providing
+    a corrected fix.
+
+    Tested using the proof of concept at
+    https://crbug.com/project-zero/2021.
+
 1:2.11.0-3+deb9u6 [Sun, 12 Apr 2020 17:49:00 -0700] Jonathan Nieder <jrnieder@gmail.com>:
 
   [ Salvatore Bonaccorso ]

<http://10.200.17.11/4.4-4/#748036788754765133>
Comment 2 Erik Damrose univentionstaff 2020-04-28 09:33:41 CEST 
OK: yaml
OK: announce_errata
OK: no patch
OK: piuparts
Verified
Comment 3 Erik Damrose univentionstaff 2020-04-29 12:32:18 CEST 
<http://errata.software-univention.de/ucs/4.4/552.html>