CVE-2022-29187 (https://github.blog/2022-04-12-git-security-vulnerability-announced): https://lore.kernel.org/git/xmqqv8s2fefi.fsf@gitster.g/T/#u Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5bc10ad346a6d3f331ed31584bcb7f440724e6b commit e5bc10ad346a6d3f331ed31584bcb7f440724e6b Author: Sam James <sam@gentoo.org> AuthorDate: 2022-07-13 03:08:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-07-13 04:31:57 +0000 dev-vcs/git: add 2.37.1 Bug: https://bugs.gentoo.org/857831 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 3 + dev-vcs/git/git-2.37.1.ebuild | 641 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 644 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c1a625acdacfb579786284836a8678013992310 commit 7c1a625acdacfb579786284836a8678013992310 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-12 15:42:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-12 15:44:11 +0000 profiles: unmask >=dev-vcs/git-2.35.2 We now have a USE=+safe-directory to allow disabling the sometimes problematic behaviour. But we've also fixed Portage and pkgcheck/pkgdev anyway. Bug: https://github.com/pkgcore/pkgcheck/issues/412 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/838223 Bug: https://bugs.gentoo.org/838271 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 9 --------- 1 file changed, 9 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33c5ec8d6f509841240464f248514320800f1229 commit 33c5ec8d6f509841240464f248514320800f1229 Author: Thomas Bracht Laumann Jespersen <t@laumann.xyz> AuthorDate: 2022-08-06 20:08:12 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-12 15:44:07 +0000 dev-vcs/git: allow disabling "safe.directory" Add IUSE="+safe-directory" that when not enabled, makes the safe.directory configuration setting not take effect. The patch is meant to be the smallest change (in terms of lines of code) that would let the feature work for tests still. Bug: https://github.com/pkgcore/pkgcheck/issues/412 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/838223 Bug: https://bugs.gentoo.org/838271 Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz> Closes: https://github.com/gentoo/gentoo/pull/26762 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/files/git-2.37.2-unsafe-directory.patch | 14 ++++++++++++++ dev-vcs/git/git-2.37.2.ebuild | 9 ++++++++- dev-vcs/git/metadata.xml | 1 + 3 files changed, 23 insertions(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac54f35d33d333126ee9fd4726f66305062fe8df commit ac54f35d33d333126ee9fd4726f66305062fe8df Author: Sam James <sam@gentoo.org> AuthorDate: 2022-09-01 03:10:35 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-01 03:11:00 +0000 dev-vcs/git: drop versions Partial security cleanup. Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/857831 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 30 - .../git/files/git-2.31.0_rc0-optional-cvs.patch | 455 --------------- dev-vcs/git/files/git-2.32.0-r1-test-t5582.patch | 22 - dev-vcs/git/files/git-daemon-r1.initd | 13 - dev-vcs/git/git-2.32.0-r1.ebuild | 644 -------------------- dev-vcs/git/git-2.33.1.ebuild | 640 -------------------- dev-vcs/git/git-2.34.1-r1.ebuild | 640 -------------------- dev-vcs/git/git-2.34.1.ebuild | 640 -------------------- dev-vcs/git/git-2.35.2.ebuild | 640 -------------------- dev-vcs/git/git-2.35.3.ebuild | 641 -------------------- dev-vcs/git/git-2.36.0.ebuild | 641 -------------------- dev-vcs/git/git-2.36.1.ebuild | 641 -------------------- dev-vcs/git/git-2.37.0.ebuild | 641 -------------------- dev-vcs/git/git-2.37.1.ebuild | 641 -------------------- dev-vcs/git/git-2.37.2.ebuild | 648 --------------------- 15 files changed, 7577 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=2c2ec5453e20060d4ec1717825d2874f0e663f91 commit 2c2ec5453e20060d4ec1717825d2874f0e663f91 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-12-27 07:49:08 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-12-27 07:49:42 +0000 [ GLSA 202312-15 ] Git: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/877565 Bug: https://bugs.gentoo.org/891221 Bug: https://bugs.gentoo.org/894472 Bug: https://bugs.gentoo.org/905088 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202312-15.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+)
