Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 667942 (CVE-2018-17456)

Summary: <dev-vcs/git-2.18.1: arbitrary code execution via .gitmodules (CVE-2018-17456)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: hydrapolic, polynomial-c, robbat2
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 667268    

Description Hanno Böck gentoo-dev 2018-10-07 09:39:09 UTC
An RCE in Git when checking out submodules has been found:

Upstream fixes in 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1.
This is already bumped.

Our current stable in most archs is 2.18.0, so I believe 2.18.1 or 2.19.1 should be stabilized.
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-10-09 08:33:49 UTC
amd64 stable
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-09 21:25:13 UTC
x86 stable
Comment 3 Rolf Eike Beer archtester 2018-10-10 05:16:50 UTC
sparc stable.
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2018-10-13 06:57:13 UTC
Stable on alpha.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-13 16:23:04 UTC
hppa stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-14 09:48:23 UTC
ppc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-14 10:03:47 UTC
ppc64 stable
Comment 8 Mart Raudsepp gentoo-dev 2018-10-14 12:07:46 UTC
arm64 stable, including unlisted new dev-perl/MailTools dep
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-10-14 16:19:42 UTC
s390/sh stable m68k has no the keyword
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-27 18:56:14 UTC
ia64 stable
Comment 11 Markus Meier gentoo-dev 2018-10-31 17:16:55 UTC
arm stable, all arches done.