Bug 47986 - git: Multiple issues (4.2)
git: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-5-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-15 15:13 CEST by Quality Assurance
Modified: 2018-10-17 16:47 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-10-15 15:13:32 CEST
New Debian git 1:2.1.4-2.1+deb8u7 fixes:
This update addresses the following issue:
* arbitrary code execution via .gitmodules (CVE-2018-17456)
Comment 1 Quality Assurance univentionstaff 2018-10-16 07:42:24 CEST
--- mirror/ftp/4.2/unmaintained/4.2-5/source/git_2.1.4-2.1+deb8u6.dsc
+++ apt/ucs_4.2-0-errata4.2-5/source/git_2.1.4-2.1+deb8u7.dsc
@@ -1,3 +1,29 @@
+1:2.1.4-2.1+deb8u7 [Fri, 05 Oct 2018 00:41:17 -0700] Jonathan Nieder <jrnieder@gmail.com>:
+
+  * Fix CVE-2018-17456, arbitrary code execution via submodule URLs
+    and paths in .gitmodules file:
+    - submodule: ban submodule urls that start with a dash
+    - submodule: ban submodule paths that start with a dash
+    - submodule: use "--" to signal end of clone options
+    - fsck: detect submodule urls that start with a dash
+    - fsck: detect submodule paths that start with a dash
+
+    Thanks to joernchen of Phenoelit for discovering and reporting
+    this vulnerability and to Jeff King for fixing it.
+
+  * Correct incomplete shell command injection fix in git cvsimport in
+    1:2.1.4-2.1+deb8u5.  A malicious CVS server could trigger
+    arbitrary code execution by a user running "git cvsimport".
+    - cvsimport: apply shell-quoting regex globally
+
+    Thanks to littlelailo for discovering this vulnerability and to
+    Jeff King for fixing it.
+
+  * fsck: error out when .gitmodules is a symbolic link, completing
+    the backport of the patch "fsck: complain when .gitmodules is a
+    symlink" in 1:2.1.4-2.1+deb8u6.  Thanks to Pavel Cahyna for the
+    report and patch.
+
 1:2.1.4-2.1+deb8u6 [Mon, 28 May 2018 16:30:30 -0700] Jonathan Nieder <jrnieder@gmail.com>:
 
   * Fix CVE-2018-11235, arbitrary code execution via submodule names

<http://10.200.17.11/4.2-5/#8728832221641299972>
Comment 2 Philipp Hahn univentionstaff 2018-10-16 14:31:31 CEST
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.2-5] 65796750a5 Bug #47986: git 1:2.1.4-2.1+deb8u7
 doc/errata/staging/git.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-10-17 16:47:52 CEST
<http://errata.software-univention.de/ucs/4.2/530.html>