Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 459158 (CVE-2013-0308) - <dev-vcs/git-1.8.1.5: "git-imap-send" SSL Certificate Verification Security Issue (CVE-2013-0308)
Summary: <dev-vcs/git-1.8.1.5: "git-imap-send" SSL Certificate Verification Security I...
Status: RESOLVED FIXED
Alias: CVE-2013-0308
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52361/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-25 14:32 UTC by Agostino Sarubbo
Modified: 2013-03-24 20:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-25 14:32:56 UTC 
From ${URL} :

Description
A security issue has been reported in GIT, which can be exploited by malicious people to conduct 
spoofing attacks.

The security issue is caused due to the "git-imap-send" not properly verifying IMAP server hostname 
against the domain name in SSL certificates. This can be exploited to e.g. spoof the server via a 
MitM (Man-in-the-Middle) attack and e.g. disclose potentially sensitive information.

The security issue is reported in versions prior to 1.8.1.4.


Solution
Update to version 1.8.1.4.
Original Advisory
https://bugzilla.novell.com/show_bug.cgi?id=804730
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-04 00:53:10 UTC 
Robin, can we stabilize =dev-vcs/git-1.8.1.4 or =dev-vcs/git-1.8.1.5 ?
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2013-03-04 01:35:32 UTC 
Arches, please test & stabilize git-1.8.1.5.
Target stable keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86

Testing instructions.
Use the src_test.

Here's the output I get for for it.
FEATURES='test userpriv' USE="blksha1 cgi curl cvs doc gpg iconv pcre perl python subversion threads webdav xinetd -emacs -gnome-keyring -gtk -highlight -nls -ppcsha1 -tk" ebuild git-1.8.1.5.ebuild test
...
fixed   0
success 9109
failed  0
broken  74
total   9236

If you get non-zero for failed, I'd like reports.
Comment 3 Agostino Sarubbo gentoo-dev 2013-03-04 09:11:47 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-03-04 09:21:11 UTC 
x86 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2013-03-04 18:20:11 UTC 
ppc done
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-05 15:12:01 UTC 
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2013-03-06 10:28:52 UTC 
sh stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-03-08 17:46:29 UTC 
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-03-09 11:05:16 UTC 
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-03-09 13:35:05 UTC 
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-03-09 14:21:45 UTC 
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-03-09 19:05:42 UTC 
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-03-10 16:23:26 UTC 
s390 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-03-19 21:28:04 UTC 
m68k has no stable keyword. Security, please vote
Comment 15 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-20 23:34:25 UTC 
GLSA vote: no.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-03-21 18:43:27 UTC 
CVE-2013-0308 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0308):
  The imap-send command in GIT before 1.8.1.4 does not verify that the server
  hostname matches a domain name in the subject's Common Name (CN) or
  subjectAltName field of the X.509 certificate, which allows
  man-in-the-middle attackers to spoof SSL servers via an arbitrary valid
  certificate.
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 20:24:46 UTC 
NO too, closing.