Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 656868 (CVE-2018-11233, CVE-2018-11235)

Summary: <dev-vcs/git-{2.16.4,2.17.1}: multiple vulnerabilities (CVE-2018-{11233,11235})
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: jbuchert+genbug, polynomial-c, robbat2
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://marc.info/?l=git&m=152761328506724&w=2
Whiteboard: A1 [glsa+ cve]
Package list:
dev-vcs/git-2.16.4
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2018-05-29 19:31:31 UTC
Not a lot of details yet, but it sounds like a serious vuln in git:
https://twitter.com/_staaldraad/status/1001542421161930752
https://marc.info/?l=git&m=152761328506724&w=2

Fixes in 2.17.1 and 2.16.4. Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2018-05-29 23:37:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bddfb756c360f23b5542c580c750558972c9ce50

commit bddfb756c360f23b5542c580c750558972c9ce50
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-05-29 23:28:23 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-05-29 23:28:23 +0000

    dev-vcs/git: Bump to v2.16.4 & v2.17.1
    
    Bug: https://bugs.gentoo.org/656868
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-vcs/git/Manifest          |   6 +
 dev-vcs/git/git-2.16.4.ebuild | 699 +++++++++++++++++++++++++++++++++++++++++
 dev-vcs/git/git-2.17.1.ebuild | 715 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 1420 insertions(+)
Comment 2 Thomas Deutschmann gentoo-dev Security 2018-05-29 23:39:30 UTC
@ Arches,

please test and mark stable: =dev-vcs/git-2.16.4
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-05-30 00:56:55 UTC
New GLSA request filed.
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-05-30 01:19:16 UTC
x86 stable
Comment 5 Larry the Git Cow gentoo-dev 2018-05-30 01:29:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=826b0d45dfea7e855ce336f4592acd9a1c9149ac

commit 826b0d45dfea7e855ce336f4592acd9a1c9149ac
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-05-30 01:29:01 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-05-30 01:29:01 +0000

    dev-vcs/git: drop vulnerable v2.17.0 version
    
    Bug: https://bugs.gentoo.org/656868
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-vcs/git/Manifest          |   3 -
 dev-vcs/git/git-2.17.0.ebuild | 715 ------------------------------------------
 2 files changed, 718 deletions(-)
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-05-30 01:29:54 UTC
This issue was resolved and addressed in
 GLSA 201805-13 at https://security.gentoo.org/glsa/201805-13
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 7 Thomas Deutschmann gentoo-dev Security 2018-05-30 01:30:48 UTC
Re-opening for remaining architectures.
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-05-30 01:45:53 UTC
amd64 stable
Comment 9 Matt Turner gentoo-dev 2018-05-30 04:09:15 UTC
alpha, ppc, ppc64 stable
Comment 10 Mart Raudsepp gentoo-dev 2018-05-30 08:49:25 UTC
arm64 stable with USE=doc stable masked due to bug 511902
Comment 11 Larry the Git Cow gentoo-dev 2018-05-31 07:50:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a9cab877a3f7d9e0ce36119bf3e42df41f7628a

commit 2a9cab877a3f7d9e0ce36119bf3e42df41f7628a
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-30 20:59:49 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-31 07:50:29 +0000

    dev-vcs/git: stable 2.16.4 for sparc
    
    Bug: https://bugs.gentoo.org/656868
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 dev-vcs/git/git-2.16.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 12 Larry the Git Cow gentoo-dev 2018-05-31 08:13:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ecb976eb824d57ac9eb29e3364908e68ffaad86

commit 6ecb976eb824d57ac9eb29e3364908e68ffaad86
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-05-31 08:12:18 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-31 08:12:18 +0000

    dev-vcs/git: stable 2.16.4 for ia64, bug #656868
    
    Bug: https://bugs.gentoo.org/656868
    Package-Manager: Portage-2.3.38, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 dev-vcs/git/git-2.16.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-05-31 21:35:32 UTC
arm stable, please cleanup
Comment 14 Larry the Git Cow gentoo-dev 2018-05-31 22:51:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c26dc163049d56571c740e43ceb75b29f3228d5d

commit c26dc163049d56571c740e43ceb75b29f3228d5d
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-05-31 22:50:50 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-05-31 22:51:01 +0000

    dev-vcs/git: security cleanup
    
    Bug: https://bugs.gentoo.org/656868
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-vcs/git/Manifest          |   6 -
 dev-vcs/git/git-2.16.1.ebuild | 699 ------------------------------------------
 dev-vcs/git/git-2.16.3.ebuild | 699 ------------------------------------------
 3 files changed, 1404 deletions(-)
Comment 15 Thomas Deutschmann gentoo-dev Security 2018-05-31 22:51:37 UTC
All done, repository is clean.
Comment 16 Sergei Trofimovich gentoo-dev 2018-07-28 19:17:58 UTC
commit 2de66dc405bca6fd81339685153f7937a6a21dcd
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Fri Jun 1 08:51:20 2018 +0200

    dev-vcs/git: Stable for HPPA too.