948119 – (CVE-2024-53263) <dev-vcs/git-lfs-3.6.1: Git LFS permits retrieval of credentials via crafted HTTP URLs

Bug 948119 (CVE-2024-53263) - <dev-vcs/git-lfs-3.6.1: Git LFS permits retrieval of credentials via crafted HTTP URLs

Summary: <dev-vcs/git-lfs-3.6.1: Git LFS permits retrieval of credentials via crafted ...

Status:	CONFIRMED

Alias:	CVE-2024-53263

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:	https://github.com/git-lfs/git-lfs/se...
Whiteboard:	B2 [stable?]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2025-01-14 21:14 UTC by Nils Freydank
Modified:	2025-01-15 06:48 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/40137
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nils Freydank 2025-01-14 21:14:40 UTC

Hi,

quoting from upstream's release page of dev-vcs/git-lfs-3.6.1:

"
This release introduces a security fix for all platforms, which has been assigned CVE-2024-53263.

When requesting credentials from Git for a remote host, prior versions of Git LFS passed portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sent any credentials received back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker might have been able to retrieve a user's Git credentials.

Git LFS now prevents bare line feed (LF) characters from being included in the values sent to the git-credential(1) command, and also prevents bare carriage return (CR) characters from being included unless the credential.protectProtocol configuration option is set to a value equivalent to false.

We would like to extend a special thanks to the following open-source contributors:

    @Ry0taK for reporting this to us responsibly
"

The NIST page does not contain information beside the links so far, so I'll link to the CVE only here and put the github.com advisory into the URL field instead: https://nvd.nist.gov/vuln/detail/cve-2024-53263

Kind regards,
Nils

Reproducible: Always

Comment 1 Larry the Git Cow gentoo-dev

2025-01-15 05:39:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4e04ce1af4bb3eaa780f463b39802ead06dd75c

commit f4e04ce1af4bb3eaa780f463b39802ead06dd75c
Author:     Nils Freydank <holgersson@posteo.de>
AuthorDate: 2025-01-14 21:27:51 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2025-01-15 05:39:44 +0000

    dev-vcs/git-lfs: Clean up 3.6.0
    
    Versions < 3.6.1 are vulnerable, start the cleanup with the unstable
    version.
    
    Bug: https://bugs.gentoo.org/948119
    Signed-off-by: Nils Freydank <holgersson@posteo.de>
    Closes: https://github.com/gentoo/gentoo/pull/40137
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-vcs/git-lfs/Manifest             |   2 -
 dev-vcs/git-lfs/git-lfs-3.6.0.ebuild | 106 -----------------------------------
 2 files changed, 108 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42ad87c4aa34fbd34260da98c55733e7f7259747

commit 42ad87c4aa34fbd34260da98c55733e7f7259747
Author:     Nils Freydank <holgersson@posteo.de>
AuthorDate: 2025-01-14 21:27:51 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2025-01-15 05:39:43 +0000

    dev-vcs/git-lfs: Bump to 3.6.1, CVE-2024-53263
    
    Bug: https://bugs.gentoo.org/948119
    Signed-off-by: Nils Freydank <holgersson@posteo.de>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-vcs/git-lfs/Manifest             |   2 +
 dev-vcs/git-lfs/git-lfs-3.6.1.ebuild | 106 +++++++++++++++++++++++++++++++++++
 2 files changed, 108 insertions(+)