Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 811261 (CVE-2021-40330)

Summary: <dev-vcs/git-2.30.1: unexpected cross-protocol requesting (CVE-2021-40330)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: flow, polynomial-c, robbat2
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473
See Also: https://github.com/gentoo/gentoo/pull/22688
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III gentoo-dev Security 2021-08-31 14:29:25 UTC
CVE-2021-40330:

git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.

Please cleanup <2.30.1.
Comment 1 John Helmert III gentoo-dev Security 2021-11-12 01:46:28 UTC
Cleanup done. Minimal impact, no GLSA, closing.