Bug 47547 - git: Multiple issues (4.2)
git: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-4-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-09 10:20 CEST by Quality Assurance
Modified: 2018-08-15 16:20 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-08-09 10:20:00 CEST
New Debian git 1:2.1.4-2.1+deb8u6 fixes:
This update addresses the following issue(s):
* 
CVE_2017-15298 is open
* In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. (CVE-2018-11233)
* In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. (CVE-2018-11235)
CVE_2018-1000021 is open

1:2.1.4-2.1+deb8u6 (Mon, 28 May 2018 16:30:30 -0700) * Fix CVE-2018-11235, arbitrary code execution via submodule names in .gitmodules file: - submodule: verify submodule names as paths - fsck: drop inode-sorting code - fsck: simplify ".git" check - fsck: fsck blob data - fsck: detect gitmodules files - fsck: check .gitmodules content - fsck: call fsck_finish after fscking objects - unpack-objects: call fsck_finish after fscking objects - index-pack: check .gitmodules files with --strict * Fix CVE-2018-11233, out-of-bounds read when validating NTFS paths: - is_ntfs_dotgit: use a size_t for traversing string * Do not allow .gitmodules to be a symlink: - is_hfs_dotgit: loosen over-eager match of \u{..47} - is_hfs_dotgit: match other .git* files - is_ntfs_dotgit: match other .git* files - is_{hfs,ntfs}_dotgitmodules: add tests - skip_prefix: add case-insensitive variant - verify_path: drop clever fallthrough - verify_dotfile: mention case-insensitivity in comment - update-index: stat updated files earlier - verify_path: disallow .gitmodules symlinks - fsck: complain when .gitmodules is a symlink Thanks to Brandon Williams, Etienne Stalmans, and Jeff King for discovering and reporting these vulnerabilities and to Jeff King and Johannes Schindelin for fixing them. * Prevent "git apply" without --index from escaping the current directory (compare GNU patch's CVE-2015-1196): - apply: reject input that touches outside the working area - apply: do not read from the filesystem under --index - apply: do not read from beyond a symbolic link - apply: do not touch a file beyond a symbolic link Thanks to Josh Boyer for reporting this vulnerability and Junio C Hamano for fixing it.
* CVE-2018-11233 git: path sanity-checks on NTFS can read arbitrary memory (CVE-2018-11233)
* CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository (CVE-2018-11235)
* CVE-2015-1196 patch: directory traversal via symlinks (CVE-2015-1196)
Comment 1 Quality Assurance univentionstaff 2018-08-09 18:44:21 CEST
--- mirror/ftp/4.2/unmaintained/4.2-4/source/git_2.1.4-2.1+deb8u5.dsc
+++ apt/ucs_4.2-0-errata4.2-4/source/git_2.1.4-2.1+deb8u6.dsc
@@ -1,3 +1,44 @@
+1:2.1.4-2.1+deb8u6 [Mon, 28 May 2018 16:30:30 -0700] Jonathan Nieder <jrnieder@gmail.com>:
+
+  * Fix CVE-2018-11235, arbitrary code execution via submodule names
+    in .gitmodules file:
+    - submodule: verify submodule names as paths
+    - fsck: drop inode-sorting code
+    - fsck: simplify ".git" check
+    - fsck: fsck blob data
+    - fsck: detect gitmodules files
+    - fsck: check .gitmodules content
+    - fsck: call fsck_finish after fscking objects
+    - unpack-objects: call fsck_finish after fscking objects
+    - index-pack: check .gitmodules files with --strict
+  * Fix CVE-2018-11233, out-of-bounds read when validating NTFS paths:
+    - is_ntfs_dotgit: use a size_t for traversing string
+  * Do not allow .gitmodules to be a symlink:
+    - is_hfs_dotgit: loosen over-eager match of \u{..47}
+    - is_hfs_dotgit: match other .git* files
+    - is_ntfs_dotgit: match other .git* files
+    - is_{hfs,ntfs}_dotgitmodules: add tests
+    - skip_prefix: add case-insensitive variant
+    - verify_path: drop clever fallthrough
+    - verify_dotfile: mention case-insensitivity in comment
+    - update-index: stat updated files earlier
+    - verify_path: disallow .gitmodules symlinks
+    - fsck: complain when .gitmodules is a symlink
+
+  Thanks to Brandon Williams, Etienne Stalmans, and Jeff King for
+  discovering and reporting these vulnerabilities and to Jeff King and
+  Johannes Schindelin for fixing them.
+
+  * Prevent "git apply" without --index from escaping the current
+    directory (compare GNU patch's CVE-2015-1196):
+    - apply: reject input that touches outside the working area
+    - apply: do not read from the filesystem under --index
+    - apply: do not read from beyond a symbolic link
+    - apply: do not touch a file beyond a symbolic link
+
+  Thanks to Josh Boyer for reporting this vulnerability and Junio C
+  Hamano for fixing it.
+
 1:2.1.4-2.1+deb8u5 [Mon, 25 Sep 2017 12:12:03 -0700] Jonathan Nieder <jrnieder@gmail.com>:
 
   * Fix remote shell command execution via CVS protocol:

<http://10.200.17.11/4.2-4/#8728832221640217447>
Comment 2 Philipp Hahn univentionstaff 2018-08-10 11:20:28 CEST
OK: yaml
OK: errata-announce
OK: patch
OK: piuparts

[4.2-4] d5716e5d99 Bug #47547: git 1:2.1.4-2.1+deb8u6
 doc/errata/staging/git.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

[4.2-4] 5d1d23c97f Bug #47547: git 1:2.1.4-2.1+deb8u6
 doc/errata/staging/git.yaml | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

[4.2-4] 1c8306240d Bug #47547: git 1:2.1.4-2.1+deb8u6
 doc/errata/staging/git.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-08-15 16:20:41 CEST
<http://errata.software-univention.de/ucs/4.2/452.html>