Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 838127 (CVE-2022-24765) - <dev-vcs/git-2.35.2: Shared repository vulnerability
Summary: <dev-vcs/git-2.35.2: Shared repository vulnerability
Status: RESOLVED FIXED
Alias: CVE-2022-24765
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor with 1 vote (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 838223 838271 857831
Blocks:
  Show dependency tree
 
Reported: 2022-04-13 03:00 UTC by Sam James
Modified: 2023-12-27 07:50 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 03:00:17 UTC
https://marc.info/?l=oss-security&m=164978507906820&w=2

"""

The Git project released versions v2.30.3, v2.31.2, v2.32.1,
v2.33.2, v2.34.2, and v2.35.2 today.  They are to address
CVE-2022-24765.  All supported platforms with multiple users are
affected in one way or another.

    https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/

We highly recommend to upgrade.

The addressed issue is:

* CVE-2022-24765:
  On multi-user machines, Git users might find themselves unexpectedly in
  a Git worktree, e.g. when there is a scratch space (`/scratch/`) intend=
ed
  for all users and another user created a repository in `/scratch/.git`.
  Merely having a Git-aware prompt that runs `git status` (or `git diff`)
  and navigating to a directory which is supposedly not a Git worktree, o=
r
  opening such a directory in an editor or IDE such as VS Code or Atom, w=
ill
  potentially run commands defined by that other user via
  `/scratch/.git/config`.

Credit for finding the vulnerability goes to =E4=BF=9E=E6=99=A8=E4=B8=9C;=
 credit for fixing
it goes to Johannes Schindelin.
"""
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 03:00:35 UTC
Please do file security bugs when your packages have vulnerabilities.
Comment 2 Larry the Git Cow gentoo-dev 2022-04-13 22:57:06 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afedd76307ba7fde47628d1dc84589a1d2ae9efc

commit afedd76307ba7fde47628d1dc84589a1d2ae9efc
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-13 22:56:35 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-13 22:56:35 +0000

    profiles: mask =dev-vcs/git-2.35.2
    
    2.35.2 was a quick release to mitigate a security issue (bug #838127), but
    introduces problems of its own with e.g. Portage. bug #838223. Pending
    investigation both on the Portage side and potentially upstream (as there's
    at least some UX issues with 2.35.2+ with the new "safe directory" mechanism).
    
    Earlier versions are still safe as long as you do not use git commands
    on a local repository controlled by a user you do not trust.
    
    Closes: https://bugs.gentoo.org/838127
    Closes: https://bugs.gentoo.org/838223
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 9 +++++++++
 1 file changed, 9 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2022-04-14 07:20:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5b2f637c5248f274789c4a02d06b2f41e378e96

commit d5b2f637c5248f274789c4a02d06b2f41e378e96
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-14 07:19:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-14 07:20:15 +0000

    profiles: mask =dev-vcs/git-2.35.3 too, for same reasons as 2.35.2
    
    Nothing's changed there wrt the Portage-related issues yet.
    
    Bug: https://bugs.gentoo.org/838223
    Bug: https://bugs.gentoo.org/838271
    Bug: https://bugs.gentoo.org/838127
    See: afedd76307ba7fde47628d1dc84589a1d2ae9efc
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 1 +
 1 file changed, 1 insertion(+)
Comment 4 Larry the Git Cow gentoo-dev 2022-08-12 15:46:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c1a625acdacfb579786284836a8678013992310

commit 7c1a625acdacfb579786284836a8678013992310
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-08-12 15:42:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-12 15:44:11 +0000

    profiles: unmask >=dev-vcs/git-2.35.2
    
    We now have a USE=+safe-directory to allow disabling
    the sometimes problematic behaviour. But we've also
    fixed Portage and pkgcheck/pkgdev anyway.
    
    Bug: https://github.com/pkgcore/pkgcheck/issues/412
    Bug: https://bugs.gentoo.org/857831
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/838223
    Bug: https://bugs.gentoo.org/838271
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 9 ---------
 1 file changed, 9 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33c5ec8d6f509841240464f248514320800f1229

commit 33c5ec8d6f509841240464f248514320800f1229
Author:     Thomas Bracht Laumann Jespersen <t@laumann.xyz>
AuthorDate: 2022-08-06 20:08:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-12 15:44:07 +0000

    dev-vcs/git: allow disabling "safe.directory"
    
    Add IUSE="+safe-directory" that when not enabled, makes the
    safe.directory configuration setting not take effect. The patch is meant
    to be the smallest change (in terms of lines of code) that would let the
    feature work for tests still.
    
    Bug: https://github.com/pkgcore/pkgcheck/issues/412
    Bug: https://bugs.gentoo.org/857831
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/838223
    Bug: https://bugs.gentoo.org/838271
    Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz>
    Closes: https://github.com/gentoo/gentoo/pull/26762
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/files/git-2.37.2-unsafe-directory.patch | 14 ++++++++++++++
 dev-vcs/git/git-2.37.2.ebuild                       |  9 ++++++++-
 dev-vcs/git/metadata.xml                            |  1 +
 3 files changed, 23 insertions(+), 1 deletion(-)
Comment 5 Larry the Git Cow gentoo-dev 2022-09-01 03:11:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac54f35d33d333126ee9fd4726f66305062fe8df

commit ac54f35d33d333126ee9fd4726f66305062fe8df
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-09-01 03:10:35 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-01 03:11:00 +0000

    dev-vcs/git: drop versions
    
    Partial security cleanup.
    
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/857831
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/Manifest                               |  30 -
 .../git/files/git-2.31.0_rc0-optional-cvs.patch    | 455 ---------------
 dev-vcs/git/files/git-2.32.0-r1-test-t5582.patch   |  22 -
 dev-vcs/git/files/git-daemon-r1.initd              |  13 -
 dev-vcs/git/git-2.32.0-r1.ebuild                   | 644 --------------------
 dev-vcs/git/git-2.33.1.ebuild                      | 640 --------------------
 dev-vcs/git/git-2.34.1-r1.ebuild                   | 640 --------------------
 dev-vcs/git/git-2.34.1.ebuild                      | 640 --------------------
 dev-vcs/git/git-2.35.2.ebuild                      | 640 --------------------
 dev-vcs/git/git-2.35.3.ebuild                      | 641 --------------------
 dev-vcs/git/git-2.36.0.ebuild                      | 641 --------------------
 dev-vcs/git/git-2.36.1.ebuild                      | 641 --------------------
 dev-vcs/git/git-2.37.0.ebuild                      | 641 --------------------
 dev-vcs/git/git-2.37.1.ebuild                      | 641 --------------------
 dev-vcs/git/git-2.37.2.ebuild                      | 648 ---------------------
 15 files changed, 7577 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2023-12-27 07:49:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2c2ec5453e20060d4ec1717825d2874f0e663f91

commit 2c2ec5453e20060d4ec1717825d2874f0e663f91
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-27 07:49:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-12-27 07:49:42 +0000

    [ GLSA 202312-15 ] Git: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/857831
    Bug: https://bugs.gentoo.org/877565
    Bug: https://bugs.gentoo.org/891221
    Bug: https://bugs.gentoo.org/894472
    Bug: https://bugs.gentoo.org/905088
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202312-15.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)