Bug 774678 (CVE-2021-21300)

Comment 1 Robin Johnson 2021-03-07 22:56:59 UTC

whissi: ACK; will commit & bump as soon as upstream releases the official tarballs at the end of the embargo.

It would be nice if upstream would include new distfile checksums beyond just the git bundles like this.

Comment 2 Sam James 2021-03-09 18:07:32 UTC

Git v2.30.2 Release Notes
=========================

This release merges up the fixes that appear in v2.17.6, v2.18.5,
v2.19.6, v2.20.5, v2.21.4, v2.22.5, v2.23.4, v2.24.4, v2.25.5,
v2.26.3, v2.27.1, v2.28.1 and v2.29.3 to address the security
issue CVE-2021-21300; see the release notes for these versions
for details.

----------------------------------------------------------------

Git v2.17.6 Release Notes
=========================

This release addresses the security issues CVE-2021-21300.

Fixes since v2.17.5
-------------------

* CVE-2021-21300:
  On case-insensitive file systems with support for symbolic links,
  if Git is configured globally to apply delay-capable clean/smudge
  filters (such as Git LFS), Git could be fooled into running
  remote code during a clone.

Credit for finding and fixing this vulnerability goes to Matheus
Tavares, helped by Johannes Schindelin.
_______________________________________________

Comment 3 John Helmert III 2021-03-09 20:15:13 UTC

Please stabilize when ready.

commit 20cc50422bc11625049fac616f872123ab9d5d1d
Author: Robin H. Johnson <robbat2@gentoo.org>
Date:   Tue Mar 9 12:04:38 2021 -0800

    dev-vcs/git: security bump for CVE-2021-21300

    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

 create mode 100644 dev-vcs/git/git-2.26.3.ebuild
 create mode 100644 dev-vcs/git/git-2.28.1.ebuild
 create mode 100644 dev-vcs/git/git-2.29.3.ebuild
 create mode 100644 dev-vcs/git/git-2.30.2.ebuild

Comment 4 Sam James 2021-03-16 14:42:55 UTC

ping.

Comment 5 Mikle Kolyada (RETIRED) 2021-03-19 18:06:30 UTC

amd64 stable

Comment 6 Rolf Eike Beer 2021-03-19 20:08:39 UTC

sparc stable

Comment 7 Sam James 2021-03-22 00:10:27 UTC

ppc64 done

Comment 8 Sam James 2021-03-22 00:11:01 UTC

ppc done

Comment 9 Rolf Eike Beer 2021-03-22 18:48:03 UTC

hppa stable

Comment 10 Sam James 2021-03-25 23:16:10 UTC

x86 done

Comment 11 Sam James 2021-03-26 11:34:37 UTC

arm64 done

Comment 12 Agostino Sarubbo 2021-03-26 11:50:55 UTC

s390 stable

Comment 13 Sam James 2021-03-28 20:20:05 UTC

arm done

all arches done

Comment 14 John Helmert III 2021-03-28 20:38:07 UTC

Please cleanup.

Comment 15 Larry the Git Cow 2021-04-30 22:18:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbc7e5e980dae214ffdb49ff6cc593b226b21cec

commit bbc7e5e980dae214ffdb49ff6cc593b226b21cec
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-04-30 22:17:49 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-04-30 22:17:49 +0000

    dev-vcs/git: security cleanup
    
    Bug: https://bugs.gentoo.org/774678
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-vcs/git/Manifest          |   3 -
 dev-vcs/git/git-2.26.2.ebuild | 714 ------------------------------------------
 2 files changed, 717 deletions(-)

Comment 16 Thomas Deutschmann (RETIRED) 2021-04-30 22:18:36 UTC

New GLSA request filed.

Comment 17 GLSAMaker/CVETool Bot 2021-05-01 00:01:10 UTC

This issue was resolved and addressed in
 GLSA 202104-01 at https://security.gentoo.org/glsa/202104-01
by GLSA coordinator Thomas Deutschmann (whissi).