Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 857792 - <dev-libs/libgit2-{1.3.2,1.4.4}: Shared repository vulnerability
Summary: <dev-libs/libgit2-{1.3.2,1.4.4}: Shared repository vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+]
Keywords:
Depends on: 857795 857798
Blocks: CVE-2022-29187
  Show dependency tree
 
Reported: 2022-07-12 18:49 UTC by Michał Górny
Modified: 2024-01-14 09:16 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-07-12 18:49:19 UTC
Apparently the same thing as git's CVE-2022-29187.

From changelog:

* This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to [CVE 2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/), now not only is the working directory of a non-bare repository examined for its ownership, but the `.git` directory and the `.git` file (if present) are also examined for their ownership.

* A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in `sudo`.

* A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using `runas Administrator`).
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-07-13 09:04:59 UTC
cleanup done
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-13 17:55:03 UTC
Thanks!
Comment 3 Larry the Git Cow gentoo-dev 2024-01-14 09:14:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=1e10dddefba8566fa926c19fd2f97c893860b8ea

commit 1e10dddefba8566fa926c19fd2f97c893860b8ea
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-14 09:13:55 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-14 09:14:51 +0000

    [ GLSA 202401-17 ] libgit2: Privilege Escalation Vulnerability
    
    Bug: https://bugs.gentoo.org/857792
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-17.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)