Bug 667942 (CVE-2018-17456)

Summary:	<dev-vcs/git-2.18.1: arbitrary code execution via .gitmodules (CVE-2018-17456)
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	hydrapolic, polynomial-c, robbat2
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://seclists.org/oss-sec/2018/q4/19
Whiteboard:	B3 [noglsa cve]
Package list:	dev-vcs/git-2.18.1	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	667268

Description Hanno Böck gentoo-dev

2018-10-07 09:39:09 UTC

An RCE in Git when checking out submodules has been found:
https://blog.github.com/2018-10-05-git-submodule-vulnerability/
https://seclists.org/oss-sec/2018/q4/19

Upstream fixes in 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1.
This is already bumped.

Our current stable in most archs is 2.18.0, so I believe 2.18.1 or 2.19.1 should be stabilized.

Comment 1 Mikle Kolyada (RETIRED) archtester

2018-10-09 08:33:49 UTC

amd64 stable

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2018-10-09 21:25:13 UTC

x86 stable

Comment 3 Rolf Eike Beer archtester

2018-10-10 05:16:50 UTC

sparc stable.

Comment 4 Tobias Klausmann (RETIRED) gentoo-dev

2018-10-13 06:57:13 UTC

Stable on alpha.

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2018-10-13 16:23:04 UTC

hppa stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2018-10-14 09:48:23 UTC

ppc stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2018-10-14 10:03:47 UTC

ppc64 stable

Comment 8 Mart Raudsepp gentoo-dev

2018-10-14 12:07:46 UTC

arm64 stable, including unlisted new dev-perl/MailTools dep

Comment 9 Mikle Kolyada (RETIRED) archtester

2018-10-14 16:19:42 UTC

s390/sh stable m68k has no the keyword

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2018-10-27 18:56:14 UTC

ia64 stable

Comment 11 Markus Meier gentoo-dev

2018-10-31 17:16:55 UTC

arm stable, all arches done.