Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 926532 (CVE-2024-25817)

Summary: <sys-apps/eza-0.18.6: local arbitrary code execution via .git/HEAD and .git/objects components
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: ajak, arkamar, leohdz172, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/advisories/GHSA-3qx3-6hxr-j2ch
See Also: https://github.com/gentoo/gentoo/pull/35676
https://github.com/gentoo/gentoo/pull/35700
Whiteboard: B2 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 926534    
Bug Blocks:    

Description Christopher Fore 2024-03-08 22:38:17 UTC 
CVE-2024-25817:

Buffer Overflow vulnerability in eza before version 0.18.2, allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects components.


The above is fixed in 0.18.2
Comment 1 Larry the Git Cow gentoo-dev 2024-03-08 23:58:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6a5011c20e312d598ec79b6bc80fe84fd9b48e6

commit f6a5011c20e312d598ec79b6bc80fe84fd9b48e6
Author:     Leonardo Hernández Hernández <leohdz172@proton.me>
AuthorDate: 2024-03-08 23:43:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-08 23:57:57 +0000

    sys-apps/eza: add 0.18.6
    
    Bug: https://bugs.gentoo.org/926532
    Signed-off-by: Leonardo Hernández Hernández <leohdz172@proton.me>
    Closes: https://github.com/gentoo/gentoo/pull/35676
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/eza/Manifest          |  23 ++++
 sys-apps/eza/eza-0.18.6.ebuild | 254 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 277 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-03-08 23:59:55 UTC 
Please stable when ready, thanks.
Comment 3 Larry the Git Cow gentoo-dev 2024-03-11 10:50:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8ce30a090fe76a173bd9ff2b3100ed6b1521420

commit c8ce30a090fe76a173bd9ff2b3100ed6b1521420
Author:     Leonardo Hernández Hernández <leohdz172@proton.me>
AuthorDate: 2024-03-10 19:18:53 +0000
Commit:     Petr Vaněk <arkamar@gentoo.org>
CommitDate: 2024-03-11 10:47:14 +0000

    sys-apps/eza: drop 0.15.3, 0.17.2-r1
    
    Bug: https://bugs.gentoo.org/926532
    Signed-off-by: Leonardo Hernández Hernández <leohdz172@proton.me>
    Closes: https://github.com/gentoo/gentoo/pull/35700
    Signed-off-by: Petr Vaněk <arkamar@gentoo.org>

 sys-apps/eza/Manifest             |  31 -----
 sys-apps/eza/eza-0.15.3.ebuild    | 237 -----------------------------------
 sys-apps/eza/eza-0.17.2-r1.ebuild | 254 --------------------------------------
 3 files changed, 522 deletions(-)