Summary: | <dev-vcs/git-2.37.1: shared repository privilege escalation | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | robbat2 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/git/git/security/advisories/GHSA-j342-m5hw-rr3v | ||
Whiteboard: | B1 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 867598 | ||
Bug Blocks: | 838127, 857834 |
Description
John Helmert III
2022-07-13 02:30:56 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5bc10ad346a6d3f331ed31584bcb7f440724e6b commit e5bc10ad346a6d3f331ed31584bcb7f440724e6b Author: Sam James <sam@gentoo.org> AuthorDate: 2022-07-13 03:08:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-07-13 04:31:57 +0000 dev-vcs/git: add 2.37.1 Bug: https://bugs.gentoo.org/857831 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 3 + dev-vcs/git/git-2.37.1.ebuild | 641 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 644 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c1a625acdacfb579786284836a8678013992310 commit 7c1a625acdacfb579786284836a8678013992310 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-12 15:42:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-12 15:44:11 +0000 profiles: unmask >=dev-vcs/git-2.35.2 We now have a USE=+safe-directory to allow disabling the sometimes problematic behaviour. But we've also fixed Portage and pkgcheck/pkgdev anyway. Bug: https://github.com/pkgcore/pkgcheck/issues/412 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/838223 Bug: https://bugs.gentoo.org/838271 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 9 --------- 1 file changed, 9 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33c5ec8d6f509841240464f248514320800f1229 commit 33c5ec8d6f509841240464f248514320800f1229 Author: Thomas Bracht Laumann Jespersen <t@laumann.xyz> AuthorDate: 2022-08-06 20:08:12 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-12 15:44:07 +0000 dev-vcs/git: allow disabling "safe.directory" Add IUSE="+safe-directory" that when not enabled, makes the safe.directory configuration setting not take effect. The patch is meant to be the smallest change (in terms of lines of code) that would let the feature work for tests still. Bug: https://github.com/pkgcore/pkgcheck/issues/412 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/838223 Bug: https://bugs.gentoo.org/838271 Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz> Closes: https://github.com/gentoo/gentoo/pull/26762 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/files/git-2.37.2-unsafe-directory.patch | 14 ++++++++++++++ dev-vcs/git/git-2.37.2.ebuild | 9 ++++++++- dev-vcs/git/metadata.xml | 1 + 3 files changed, 23 insertions(+), 1 deletion(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac54f35d33d333126ee9fd4726f66305062fe8df commit ac54f35d33d333126ee9fd4726f66305062fe8df Author: Sam James <sam@gentoo.org> AuthorDate: 2022-09-01 03:10:35 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-01 03:11:00 +0000 dev-vcs/git: drop versions Partial security cleanup. Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/857831 Signed-off-by: Sam James <sam@gentoo.org> dev-vcs/git/Manifest | 30 - .../git/files/git-2.31.0_rc0-optional-cvs.patch | 455 --------------- dev-vcs/git/files/git-2.32.0-r1-test-t5582.patch | 22 - dev-vcs/git/files/git-daemon-r1.initd | 13 - dev-vcs/git/git-2.32.0-r1.ebuild | 644 -------------------- dev-vcs/git/git-2.33.1.ebuild | 640 -------------------- dev-vcs/git/git-2.34.1-r1.ebuild | 640 -------------------- dev-vcs/git/git-2.34.1.ebuild | 640 -------------------- dev-vcs/git/git-2.35.2.ebuild | 640 -------------------- dev-vcs/git/git-2.35.3.ebuild | 641 -------------------- dev-vcs/git/git-2.36.0.ebuild | 641 -------------------- dev-vcs/git/git-2.36.1.ebuild | 641 -------------------- dev-vcs/git/git-2.37.0.ebuild | 641 -------------------- dev-vcs/git/git-2.37.1.ebuild | 641 -------------------- dev-vcs/git/git-2.37.2.ebuild | 648 --------------------- 15 files changed, 7577 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=2c2ec5453e20060d4ec1717825d2874f0e663f91 commit 2c2ec5453e20060d4ec1717825d2874f0e663f91 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-12-27 07:49:08 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-12-27 07:49:42 +0000 [ GLSA 202312-15 ] Git: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/838127 Bug: https://bugs.gentoo.org/857831 Bug: https://bugs.gentoo.org/877565 Bug: https://bugs.gentoo.org/891221 Bug: https://bugs.gentoo.org/894472 Bug: https://bugs.gentoo.org/905088 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202312-15.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) |