https://marc.info/?l=oss-security&m=164978507906820&w=2 """ The Git project released versions v2.30.3, v2.31.2, v2.32.1, v2.33.2, v2.34.2, and v2.35.2 today. They are to address CVE-2022-24765. All supported platforms with multiple users are affected in one way or another. https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ We highly recommend to upgrade. The addressed issue is: * CVE-2022-24765: On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when there is a scratch space (`/scratch/`) intend= ed for all users and another user created a repository in `/scratch/.git`. Merely having a Git-aware prompt that runs `git status` (or `git diff`) and navigating to a directory which is supposedly not a Git worktree, o= r opening such a directory in an editor or IDE such as VS Code or Atom, w= ill potentially run commands defined by that other user via `/scratch/.git/config`. Credit for finding the vulnerability goes to =E4=BF=9E=E6=99=A8=E4=B8=9C;= credit for fixing it goes to Johannes Schindelin. """
Please do file security bugs when your packages have vulnerabilities.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afedd76307ba7fde47628d1dc84589a1d2ae9efc commit afedd76307ba7fde47628d1dc84589a1d2ae9efc Author: Sam James <sam@gentoo.org> AuthorDate: 2022-04-13 22:56:35 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-04-13 22:56:35 +0000 profiles: mask =dev-vcs/git-2.35.2 2.35.2 was a quick release to mitigate a security issue (bug #838127), but introduces problems of its own with e.g. Portage. bug #838223. Pending investigation both on the Portage side and potentially upstream (as there's at least some UX issues with 2.35.2+ with the new "safe directory" mechanism). Earlier versions are still safe as long as you do not use git commands on a local repository controlled by a user you do not trust. Closes: https://bugs.gentoo.org/838127 Closes: https://bugs.gentoo.org/838223 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 9 +++++++++ 1 file changed, 9 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5b2f637c5248f274789c4a02d06b2f41e378e96 commit d5b2f637c5248f274789c4a02d06b2f41e378e96 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-04-14 07:19:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-04-14 07:20:15 +0000 profiles: mask =dev-vcs/git-2.35.3 too, for same reasons as 2.35.2 Nothing's changed there wrt the Portage-related issues yet. Bug: https://bugs.gentoo.org/838223 Bug: https://bugs.gentoo.org/838271 Bug: https://bugs.gentoo.org/838127 See: afedd76307ba7fde47628d1dc84589a1d2ae9efc Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 1 + 1 file changed, 1 insertion(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c1a625acdacfb579786284836a8678013992310 commit 7c1a625acdacfb579786284836a8678013992310 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-12 15:42:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-12 15:44:11 +0000 profiles: unmask >=dev-vcs/git-2.35.2 We now have a USE=+safe-directory to allow disabling the sometimes problematic behaviour. But we've also fixed Portage and pkgcheck/pkgdev anyway. Bug: https://github.com/pkgcore/pkgcheck/issues/412 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/838223 Bug: https://bugs.gentoo.org/838271 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 9 --------- 1 file changed, 9 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33c5ec8d6f509841240464f248514320800f1229 commit 33c5ec8d6f509841240464f248514320800f1229 Author: Thomas Bracht Laumann Jespersen <t@laumann.xyz> AuthorDate: 2022-08-06 20:08:12 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-12 15:44:07 +0000 dev-vcs/git: allow disabling "safe.directory" Add IUSE="+safe-directory" that when not enabled, makes the safe.directory configuration setting not take effect. The patch is meant to be the smallest change (in terms of lines of code) that would let the feature work for tests still. Bug: https://github.com/pkgcore/pkgcheck/issues/412 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/838223 Bug: https://bugs.gentoo.org/838271 Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz> Closes: https://github.com/gentoo/gentoo/pull/26762 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/files/git-2.37.2-unsafe-directory.patch | 14 ++++++++++++++ dev-vcs/git/git-2.37.2.ebuild | 9 ++++++++- dev-vcs/git/metadata.xml | 1 + 3 files changed, 23 insertions(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac54f35d33d333126ee9fd4726f66305062fe8df commit ac54f35d33d333126ee9fd4726f66305062fe8df Author: Sam James <sam@gentoo.org> AuthorDate: 2022-09-01 03:10:35 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-01 03:11:00 +0000 dev-vcs/git: drop versions Partial security cleanup. Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/857831 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 30 - .../git/files/git-2.31.0_rc0-optional-cvs.patch | 455 --------------- dev-vcs/git/files/git-2.32.0-r1-test-t5582.patch | 22 - dev-vcs/git/files/git-daemon-r1.initd | 13 - dev-vcs/git/git-2.32.0-r1.ebuild | 644 -------------------- dev-vcs/git/git-2.33.1.ebuild | 640 -------------------- dev-vcs/git/git-2.34.1-r1.ebuild | 640 -------------------- dev-vcs/git/git-2.34.1.ebuild | 640 -------------------- dev-vcs/git/git-2.35.2.ebuild | 640 -------------------- dev-vcs/git/git-2.35.3.ebuild | 641 -------------------- dev-vcs/git/git-2.36.0.ebuild | 641 -------------------- dev-vcs/git/git-2.36.1.ebuild | 641 -------------------- dev-vcs/git/git-2.37.0.ebuild | 641 -------------------- dev-vcs/git/git-2.37.1.ebuild | 641 -------------------- dev-vcs/git/git-2.37.2.ebuild | 648 --------------------- 15 files changed, 7577 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=2c2ec5453e20060d4ec1717825d2874f0e663f91 commit 2c2ec5453e20060d4ec1717825d2874f0e663f91 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-12-27 07:49:08 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-12-27 07:49:42 +0000 [ GLSA 202312-15 ] Git: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/877565 Bug: https://bugs.gentoo.org/891221 Bug: https://bugs.gentoo.org/894472 Bug: https://bugs.gentoo.org/905088 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202312-15.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+)
