Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 811261 (CVE-2021-40330)

Summary: <dev-vcs/git-2.30.1: unexpected cross-protocol requesting (CVE-2021-40330)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: flow, polynomial-c, robbat2
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III gentoo-dev Security 2021-08-31 14:29:25 UTC

git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.

Please cleanup <2.30.1.
Comment 1 John Helmert III gentoo-dev Security 2021-11-12 01:46:28 UTC
Cleanup done. Minimal impact, no GLSA, closing.