| Summary: | <sys-apps/eza-0.18.6: local arbitrary code execution via .git/HEAD and .git/objects components | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Christopher Fore <csfore> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ajak, arkamar, eschwartz, leohdz172, proxy-maint |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/advisories/GHSA-3qx3-6hxr-j2ch | ||
| See Also: |
https://github.com/gentoo/gentoo/pull/35676 https://github.com/gentoo/gentoo/pull/35700 |
||
| Whiteboard: | B2 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 926534 | ||
| Bug Blocks: | |||
|
Description
Christopher Fore
2024-03-08 22:38:17 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6a5011c20e312d598ec79b6bc80fe84fd9b48e6 commit f6a5011c20e312d598ec79b6bc80fe84fd9b48e6 Author: Leonardo Hernández Hernández <leohdz172@proton.me> AuthorDate: 2024-03-08 23:43:12 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-03-08 23:57:57 +0000 sys-apps/eza: add 0.18.6 Bug: https://bugs.gentoo.org/926532 Signed-off-by: Leonardo Hernández Hernández <leohdz172@proton.me> Closes: https://github.com/gentoo/gentoo/pull/35676 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/eza/Manifest | 23 ++++ sys-apps/eza/eza-0.18.6.ebuild | 254 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 277 insertions(+) Please stable when ready, thanks. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8ce30a090fe76a173bd9ff2b3100ed6b1521420 commit c8ce30a090fe76a173bd9ff2b3100ed6b1521420 Author: Leonardo Hernández Hernández <leohdz172@proton.me> AuthorDate: 2024-03-10 19:18:53 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-03-11 10:47:14 +0000 sys-apps/eza: drop 0.15.3, 0.17.2-r1 Bug: https://bugs.gentoo.org/926532 Signed-off-by: Leonardo Hernández Hernández <leohdz172@proton.me> Closes: https://github.com/gentoo/gentoo/pull/35700 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> sys-apps/eza/Manifest | 31 ----- sys-apps/eza/eza-0.15.3.ebuild | 237 ----------------------------------- sys-apps/eza/eza-0.17.2-r1.ebuild | 254 -------------------------------------- 3 files changed, 522 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=874165db3d0e140c9165e4612647b37bfd94cb80 commit 874165db3d0e140c9165e4612647b37bfd94cb80 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-12-11 12:01:47 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-12-11 12:01:56 +0000 [ GLSA 202412-19 ] eza: Arbitrary Code Execution Bug: https://bugs.gentoo.org/926532 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202412-19.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) This is probably actually caused by bug 923971. The upstream advisory lists, as a reference, https://github.com/eza-community/eza/commit/47c9b90368c49117ba42760bd58acafa3362cbd4 Which is just bumping libgit2. And the attack looks like the same thing described at https://github.com/libgit2/libgit2/commit/e073ceafdba1e632c966a346a38429ea2fd35dd2 per bug 923971. My suspicion is that Gentoo's package has never been vulnerable as it depends on dev-libs/libgit2 and therefore is covered by GLSA 202411-05. (In reply to Eli Schwartz from comment #5) > My suspicion is that Gentoo's package has never been vulnerable as it > depends on dev-libs/libgit2 and therefore is covered by GLSA 202411-05. Versions before eza-0.17.2-r1 did NOT use the correct environment variable to force the system libgit2. It *looks like* it will try to automagically detect a system libgit2 by default? |
