Bug 656868 (CVE-2018-11233, CVE-2018-11235)

Summary:	<dev-vcs/git-{2.16.4,2.17.1}: multiple vulnerabilities (CVE-2018-{11233,11235})
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	critical	CC:	jasmin+gentoo, polynomial-c, robbat2
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://marc.info/?l=git&m=152761328506724&w=2
Whiteboard:	A1 [glsa+ cve]
Package list:	dev-vcs/git-2.16.4	Runtime testing required:	---

Description Hanno Böck gentoo-dev

2018-05-29 19:31:31 UTC

Not a lot of details yet, but it sounds like a serious vuln in git:
https://twitter.com/_staaldraad/status/1001542421161930752
https://marc.info/?l=git&m=152761328506724&w=2

Fixes in 2.17.1 and 2.16.4. Please bump.

Comment 1 Larry the Git Cow gentoo-dev

2018-05-29 23:37:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bddfb756c360f23b5542c580c750558972c9ce50

commit bddfb756c360f23b5542c580c750558972c9ce50
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-05-29 23:28:23 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-05-29 23:28:23 +0000

    dev-vcs/git: Bump to v2.16.4 & v2.17.1
    
    Bug: https://bugs.gentoo.org/656868
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-vcs/git/Manifest          |   6 +
 dev-vcs/git/git-2.16.4.ebuild | 699 +++++++++++++++++++++++++++++++++++++++++
 dev-vcs/git/git-2.17.1.ebuild | 715 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 1420 insertions(+)

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2018-05-29 23:39:30 UTC

@ Arches,

please test and mark stable: =dev-vcs/git-2.16.4

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2018-05-30 00:56:55 UTC

New GLSA request filed.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2018-05-30 01:19:16 UTC

x86 stable

Comment 5 Larry the Git Cow gentoo-dev

2018-05-30 01:29:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=826b0d45dfea7e855ce336f4592acd9a1c9149ac

commit 826b0d45dfea7e855ce336f4592acd9a1c9149ac
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-05-30 01:29:01 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-05-30 01:29:01 +0000

    dev-vcs/git: drop vulnerable v2.17.0 version
    
    Bug: https://bugs.gentoo.org/656868
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-vcs/git/Manifest          |   3 -
 dev-vcs/git/git-2.17.0.ebuild | 715 ------------------------------------------
 2 files changed, 718 deletions(-)

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2018-05-30 01:29:54 UTC

This issue was resolved and addressed in
 GLSA 201805-13 at https://security.gentoo.org/glsa/201805-13
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2018-05-30 01:30:48 UTC

Re-opening for remaining architectures.

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2018-05-30 01:45:53 UTC

amd64 stable

Comment 9 Matt Turner gentoo-dev

2018-05-30 04:09:15 UTC

alpha, ppc, ppc64 stable

Comment 10 Mart Raudsepp gentoo-dev

2018-05-30 08:49:25 UTC

arm64 stable with USE=doc stable masked due to bug 511902

Comment 11 Larry the Git Cow gentoo-dev

2018-05-31 07:50:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a9cab877a3f7d9e0ce36119bf3e42df41f7628a

commit 2a9cab877a3f7d9e0ce36119bf3e42df41f7628a
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-30 20:59:49 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-31 07:50:29 +0000

    dev-vcs/git: stable 2.16.4 for sparc
    
    Bug: https://bugs.gentoo.org/656868
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 dev-vcs/git/git-2.16.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 12 Larry the Git Cow gentoo-dev

2018-05-31 08:13:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ecb976eb824d57ac9eb29e3364908e68ffaad86

commit 6ecb976eb824d57ac9eb29e3364908e68ffaad86
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-05-31 08:12:18 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-31 08:12:18 +0000

    dev-vcs/git: stable 2.16.4 for ia64, bug #656868
    
    Bug: https://bugs.gentoo.org/656868
    Package-Manager: Portage-2.3.38, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 dev-vcs/git/git-2.16.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 13 Mikle Kolyada archtester

2018-05-31 21:35:32 UTC

arm stable, please cleanup

Comment 14 Larry the Git Cow gentoo-dev

2018-05-31 22:51:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c26dc163049d56571c740e43ceb75b29f3228d5d

commit c26dc163049d56571c740e43ceb75b29f3228d5d
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-05-31 22:50:50 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-05-31 22:51:01 +0000

    dev-vcs/git: security cleanup
    
    Bug: https://bugs.gentoo.org/656868
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-vcs/git/Manifest          |   6 -
 dev-vcs/git/git-2.16.1.ebuild | 699 ------------------------------------------
 dev-vcs/git/git-2.16.3.ebuild | 699 ------------------------------------------
 3 files changed, 1404 deletions(-)

Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev

2018-05-31 22:51:37 UTC

All done, repository is clean.

Comment 16 Sergei Trofimovich (RETIRED) gentoo-dev

2018-07-28 19:17:58 UTC

commit 2de66dc405bca6fd81339685153f7937a6a21dcd
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Fri Jun 1 08:51:20 2018 +0200

    dev-vcs/git: Stable for HPPA too.