Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 857831 - <dev-vcs/git-2.37.1: shared repository privilege escalation
Summary: <dev-vcs/git-2.37.1: shared repository privilege escalation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/git/git/security/a...
Whiteboard: B1 [glsa+]
Keywords:
Depends on: 867598
Blocks: CVE-2022-24765 CVE-2022-29187
  Show dependency tree
 
Reported: 2022-07-13 02:30 UTC by John Helmert III
Modified: 2023-12-27 07:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-13 02:30:56 UTC
CVE-2022-29187 (https://github.blog/2022-04-12-git-security-vulnerability-announced):
https://lore.kernel.org/git/xmqqv8s2fefi.fsf@gitster.g/T/#u

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.
Comment 1 Larry the Git Cow gentoo-dev 2022-07-13 04:32:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5bc10ad346a6d3f331ed31584bcb7f440724e6b

commit e5bc10ad346a6d3f331ed31584bcb7f440724e6b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-07-13 03:08:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-13 04:31:57 +0000

    dev-vcs/git: add 2.37.1
    
    Bug: https://bugs.gentoo.org/857831
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/Manifest          |   3 +
 dev-vcs/git/git-2.37.1.ebuild | 641 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 644 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-08-12 15:46:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c1a625acdacfb579786284836a8678013992310

commit 7c1a625acdacfb579786284836a8678013992310
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-08-12 15:42:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-12 15:44:11 +0000

    profiles: unmask >=dev-vcs/git-2.35.2
    
    We now have a USE=+safe-directory to allow disabling
    the sometimes problematic behaviour. But we've also
    fixed Portage and pkgcheck/pkgdev anyway.
    
    Bug: https://github.com/pkgcore/pkgcheck/issues/412
    Bug: https://bugs.gentoo.org/857831
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/838223
    Bug: https://bugs.gentoo.org/838271
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 9 ---------
 1 file changed, 9 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33c5ec8d6f509841240464f248514320800f1229

commit 33c5ec8d6f509841240464f248514320800f1229
Author:     Thomas Bracht Laumann Jespersen <t@laumann.xyz>
AuthorDate: 2022-08-06 20:08:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-12 15:44:07 +0000

    dev-vcs/git: allow disabling "safe.directory"
    
    Add IUSE="+safe-directory" that when not enabled, makes the
    safe.directory configuration setting not take effect. The patch is meant
    to be the smallest change (in terms of lines of code) that would let the
    feature work for tests still.
    
    Bug: https://github.com/pkgcore/pkgcheck/issues/412
    Bug: https://bugs.gentoo.org/857831
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/838223
    Bug: https://bugs.gentoo.org/838271
    Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz>
    Closes: https://github.com/gentoo/gentoo/pull/26762
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/files/git-2.37.2-unsafe-directory.patch | 14 ++++++++++++++
 dev-vcs/git/git-2.37.2.ebuild                       |  9 ++++++++-
 dev-vcs/git/metadata.xml                            |  1 +
 3 files changed, 23 insertions(+), 1 deletion(-)
Comment 3 Larry the Git Cow gentoo-dev 2022-09-01 03:11:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac54f35d33d333126ee9fd4726f66305062fe8df

commit ac54f35d33d333126ee9fd4726f66305062fe8df
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-09-01 03:10:35 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-01 03:11:00 +0000

    dev-vcs/git: drop versions
    
    Partial security cleanup.
    
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/857831
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/Manifest                               |  30 -
 .../git/files/git-2.31.0_rc0-optional-cvs.patch    | 455 ---------------
 dev-vcs/git/files/git-2.32.0-r1-test-t5582.patch   |  22 -
 dev-vcs/git/files/git-daemon-r1.initd              |  13 -
 dev-vcs/git/git-2.32.0-r1.ebuild                   | 644 --------------------
 dev-vcs/git/git-2.33.1.ebuild                      | 640 --------------------
 dev-vcs/git/git-2.34.1-r1.ebuild                   | 640 --------------------
 dev-vcs/git/git-2.34.1.ebuild                      | 640 --------------------
 dev-vcs/git/git-2.35.2.ebuild                      | 640 --------------------
 dev-vcs/git/git-2.35.3.ebuild                      | 641 --------------------
 dev-vcs/git/git-2.36.0.ebuild                      | 641 --------------------
 dev-vcs/git/git-2.36.1.ebuild                      | 641 --------------------
 dev-vcs/git/git-2.37.0.ebuild                      | 641 --------------------
 dev-vcs/git/git-2.37.1.ebuild                      | 641 --------------------
 dev-vcs/git/git-2.37.2.ebuild                      | 648 ---------------------
 15 files changed, 7577 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2023-12-27 07:49:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2c2ec5453e20060d4ec1717825d2874f0e663f91

commit 2c2ec5453e20060d4ec1717825d2874f0e663f91
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-27 07:49:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-12-27 07:49:42 +0000

    [ GLSA 202312-15 ] Git: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/857831
    Bug: https://bugs.gentoo.org/877565
    Bug: https://bugs.gentoo.org/891221
    Bug: https://bugs.gentoo.org/894472
    Bug: https://bugs.gentoo.org/905088
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202312-15.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)