718710 – (CVE-2020-11008) <dev-vcs/git-{2.23.3,2.24.3,2.25.4}: Crafted URL could leak credential information (CVE-2020-11008)

Bug 718710 (CVE-2020-11008) - <dev-vcs/git-{2.23.3,2.24.3,2.25.4}: Crafted URL could leak credential information (CVE-2020-11008)

Summary: <dev-vcs/git-{2.23.3,2.24.3,2.25.4}: Crafted URL could leak credential inform...

Status:	RESOLVED FIXED

Alias:	CVE-2020-11008

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://raw.githubusercontent.com/git...
Whiteboard:	A4 [glsa+ cve]
Keywords:	CC-ARCHES

Depends on:
Blocks:

Reported:	2020-04-21 08:04 UTC by Sam James
Modified:	2020-06-20 00:53 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=dev-vcs/git-2.23.3 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86 =dev-vcs/git-2.24.3 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86 =dev-vcs/git-2.25.4 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86 =dev-vcs/git-2.26.2 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-04-21 08:04:49 UTC

From release notes:
   With a crafted URL that contains a newline or empty host, or lacks
   a scheme, the credential helper machinery can be fooled into
   providing credential information that is not appropriate for the
   protocol in use and host being contacted.

   Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
   credentials are not for a host of the attacker's choosing; instead,
   they are for some unspecified host (based on how the configured
   credential helper handles an absent "host" parameter).

   The attack has been made impossible by refusing to work with
   under-specified credential patterns.

----
Fixed in (relevant versions for us): 2.23.4, 2.24.3, 2.25.4, 2.26.2.

Thanks to Polynomial-C for pinging about this, he was already doing bumps!

Comment 1 Larry the Git Cow gentoo-dev

2020-04-21 08:24:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63f418f2391e7cb6048b25c39af0cbb6d2a66947

commit 63f418f2391e7cb6048b25c39af0cbb6d2a66947
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-04-21 08:23:09 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-04-21 08:24:40 +0000

    dev-vcs/git: Security bump to ver 2.23.4, 2.24.3, 2.25.4 and 2.26.2
    
    Bug: https://bugs.gentoo.org/718710
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-vcs/git/Manifest          |  12 +
 dev-vcs/git/git-2.23.3.ebuild | 725 +++++++++++++++++++++++++++++++++++++++++
 dev-vcs/git/git-2.24.3.ebuild | 728 ++++++++++++++++++++++++++++++++++++++++++
 dev-vcs/git/git-2.25.4.ebuild | 728 ++++++++++++++++++++++++++++++++++++++++++
 dev-vcs/git/git-2.26.2.ebuild | 728 ++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 2921 insertions(+)

Comment 2 NATTkA bot gentoo-dev

2020-04-21 09:36:23 UTC

Unable to check for sanity:

> no match for package: =dev-vcs/git-2.23.4

Comment 3 Sam James archtester

2020-04-21 20:52:55 UTC

arm64 stable

Comment 4 Mikle Kolyada (RETIRED) archtester

2020-04-22 13:45:50 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-04-23 06:22:22 UTC

arm stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-04-23 06:25:43 UTC

ppc stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-04-23 06:26:53 UTC

ppc64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-04-23 06:27:41 UTC

s390 stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-04-23 06:28:24 UTC

sparc stable

Comment 10 Agostino Sarubbo gentoo-dev

2020-04-23 06:30:23 UTC

x86 stable

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2020-04-23 14:47:13 UTC

New GLSA request filed.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2020-04-23 15:18:37 UTC

This issue was resolved and addressed in
 GLSA 202004-13 at https://security.gentoo.org/glsa/202004-13
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2020-04-23 15:19:09 UTC

Re-opening for remaining architectures.

Comment 14 Rolf Eike Beer archtester

2020-04-26 09:18:08 UTC

hppa stable

Comment 15 Sam James archtester

2020-04-28 19:41:42 UTC

@maintainer(s), please cleanup

Comment 16 Larry the Git Cow gentoo-dev

2020-04-29 08:38:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6177833229b03609d2a0073c4839a208dec18f5c

commit 6177833229b03609d2a0073c4839a208dec18f5c
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-04-29 08:38:35 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-04-29 08:38:53 +0000

    dev-vcs/git: Security cleanup
    
    Bug: https://bugs.gentoo.org/718710
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-vcs/git/Manifest             |  27 --
 dev-vcs/git/git-2.23.1-r1.ebuild | 725 --------------------------------------
 dev-vcs/git/git-2.23.2.ebuild    | 725 --------------------------------------
 dev-vcs/git/git-2.24.1.ebuild    | 728 ---------------------------------------
 dev-vcs/git/git-2.24.2.ebuild    | 728 ---------------------------------------
 dev-vcs/git/git-2.25.1.ebuild    | 728 ---------------------------------------
 dev-vcs/git/git-2.25.2.ebuild    | 728 ---------------------------------------
 dev-vcs/git/git-2.25.3.ebuild    | 728 ---------------------------------------
 dev-vcs/git/git-2.26.0.ebuild    | 728 ---------------------------------------
 dev-vcs/git/git-2.26.1.ebuild    | 728 ---------------------------------------
 10 files changed, 6573 deletions(-)