926532 – (CVE-2024-25817) <sys-apps/eza-0.18.6: local arbitrary code execution via .git/HEAD and .git/objects components

Bug 926532 (CVE-2024-25817) - <sys-apps/eza-0.18.6: local arbitrary code execution via .git/HEAD and .git/objects components

Summary: <sys-apps/eza-0.18.6: local arbitrary code execution via .git/HEAD and .git/o...

Status:	CONFIRMED

Alias:	CVE-2024-25817

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/advisories/GHSA-3q...
Whiteboard:	B2 [glsa?]
Keywords:	PullRequest

Depends on:	926534
Blocks:
	Show dependency tree

Reported:	2024-03-08 22:38 UTC by Christopher Fore
Modified:	2024-03-11 10:50 UTC (History)
CC List:	4 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/35676 https://github.com/gentoo/gentoo/pull/35700
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2024-03-08 22:38:17 UTC

CVE-2024-25817:

Buffer Overflow vulnerability in eza before version 0.18.2, allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects components.


The above is fixed in 0.18.2

Comment 1 Larry the Git Cow gentoo-dev

2024-03-08 23:58:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6a5011c20e312d598ec79b6bc80fe84fd9b48e6

commit f6a5011c20e312d598ec79b6bc80fe84fd9b48e6
Author:     Leonardo Hernández Hernández <leohdz172@proton.me>
AuthorDate: 2024-03-08 23:43:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-08 23:57:57 +0000

    sys-apps/eza: add 0.18.6
    
    Bug: https://bugs.gentoo.org/926532
    Signed-off-by: Leonardo Hernández Hernández <leohdz172@proton.me>
    Closes: https://github.com/gentoo/gentoo/pull/35676
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/eza/Manifest          |  23 ++++
 sys-apps/eza/eza-0.18.6.ebuild | 254 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 277 insertions(+)

Comment 2 Sam James archtester

2024-03-08 23:59:55 UTC

Please stable when ready, thanks.

Comment 3 Larry the Git Cow gentoo-dev

2024-03-11 10:50:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8ce30a090fe76a173bd9ff2b3100ed6b1521420

commit c8ce30a090fe76a173bd9ff2b3100ed6b1521420
Author:     Leonardo Hernández Hernández <leohdz172@proton.me>
AuthorDate: 2024-03-10 19:18:53 +0000
Commit:     Petr Vaněk <arkamar@gentoo.org>
CommitDate: 2024-03-11 10:47:14 +0000

    sys-apps/eza: drop 0.15.3, 0.17.2-r1
    
    Bug: https://bugs.gentoo.org/926532
    Signed-off-by: Leonardo Hernández Hernández <leohdz172@proton.me>
    Closes: https://github.com/gentoo/gentoo/pull/35700
    Signed-off-by: Petr Vaněk <arkamar@gentoo.org>

 sys-apps/eza/Manifest             |  31 -----
 sys-apps/eza/eza-0.15.3.ebuild    | 237 -----------------------------------
 sys-apps/eza/eza-0.17.2-r1.ebuild | 254 --------------------------------------
 3 files changed, 522 deletions(-)