Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 948119 (CVE-2024-53263)

Summary: <dev-vcs/git-lfs-3.6.1: Git LFS permits retrieval of credentials via crafted HTTP URLs
Product: Gentoo Linux Reporter: Nils Freydank <holgersson>
Component: Current packagesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: holgersson, proxy-maint
Priority: High Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
See Also: https://github.com/gentoo/gentoo/pull/40137
Whiteboard: B2 [stable?]
Package list:
Runtime testing required: ---

Description Nils Freydank 2025-01-14 21:14:40 UTC 
Hi,

quoting from upstream's release page of dev-vcs/git-lfs-3.6.1:

"
This release introduces a security fix for all platforms, which has been assigned CVE-2024-53263.

When requesting credentials from Git for a remote host, prior versions of Git LFS passed portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sent any credentials received back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker might have been able to retrieve a user's Git credentials.

Git LFS now prevents bare line feed (LF) characters from being included in the values sent to the git-credential(1) command, and also prevents bare carriage return (CR) characters from being included unless the credential.protectProtocol configuration option is set to a value equivalent to false.

We would like to extend a special thanks to the following open-source contributors:

    @Ry0taK for reporting this to us responsibly
"

The NIST page does not contain information beside the links so far, so I'll link to the CVE only here and put the github.com advisory into the URL field instead: https://nvd.nist.gov/vuln/detail/cve-2024-53263

Kind regards,
Nils

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2025-01-15 05:39:55 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4e04ce1af4bb3eaa780f463b39802ead06dd75c

commit f4e04ce1af4bb3eaa780f463b39802ead06dd75c
Author:     Nils Freydank <holgersson@posteo.de>
AuthorDate: 2025-01-14 21:27:51 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2025-01-15 05:39:44 +0000

    dev-vcs/git-lfs: Clean up 3.6.0
    
    Versions < 3.6.1 are vulnerable, start the cleanup with the unstable
    version.
    
    Bug: https://bugs.gentoo.org/948119
    Signed-off-by: Nils Freydank <holgersson@posteo.de>
    Closes: https://github.com/gentoo/gentoo/pull/40137
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-vcs/git-lfs/Manifest             |   2 -
 dev-vcs/git-lfs/git-lfs-3.6.0.ebuild | 106 -----------------------------------
 2 files changed, 108 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42ad87c4aa34fbd34260da98c55733e7f7259747

commit 42ad87c4aa34fbd34260da98c55733e7f7259747
Author:     Nils Freydank <holgersson@posteo.de>
AuthorDate: 2025-01-14 21:27:51 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2025-01-15 05:39:43 +0000

    dev-vcs/git-lfs: Bump to 3.6.1, CVE-2024-53263
    
    Bug: https://bugs.gentoo.org/948119
    Signed-off-by: Nils Freydank <holgersson@posteo.de>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-vcs/git-lfs/Manifest             |   2 +
 dev-vcs/git-lfs/git-lfs-3.6.1.ebuild | 106 +++++++++++++++++++++++++++++++++++
 2 files changed, 108 insertions(+)