Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 562884 - <dev-vcs/git-{2.3.10,2.4.10}: arbitrary code execution via crafted URLs (CVE-2015-7545)
Summary: <dev-vcs/git-{2.3.10,2.4.10}: arbitrary code execution via crafted URLs (CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-12 07:45 UTC by Agostino Sarubbo
Modified: 2016-05-02 19:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-12 07:45:51 UTC
From ${URL} :

he following issue was fixed in Git version 2.6.1:

* Some protocols (like git-remote-ext) can execute arbitrary code found in the URL. The URLs that submodules use may come from arbitrary sources (e.g., .gitmodules files in a remote repository), and can hurt those who blindly enable recursive fetch. Restrict the 
allowed protocols to well known and safe ones.

Upstream patches:

https://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/

CVE request:

http://seclists.org/oss-sec/2015/q4/37


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2015-10-17 09:07:45 UTC
AFAIK the same fixes went into =dev-vcs/git-2.3.10, =dev-vcs/git-2.4.10 and =dev-vcs/git-2.5.4

So I'd prefer to stabilize =dev-vcs/git-2.3.10 and =dev-vcs/git-2.4.10:

Arches please test and mark stable the above mentioned two versions. Target keywords are:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-10-17 09:33:48 UTC
amd64 stable
Comment 3 Jeroen Roovers gentoo-dev 2015-10-18 06:42:07 UTC
Stable for PPC64.
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-10-18 13:24:52 UTC
x86 stable
Comment 5 Jeroen Roovers gentoo-dev 2015-10-19 04:10:17 UTC
Stable for HPPA.
Comment 6 Tobias Klausmann gentoo-dev 2015-10-21 15:18:22 UTC
Stable on alpha.
Comment 7 Markus Meier gentoo-dev 2015-11-03 19:18:44 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-11-04 14:38:48 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-11-05 11:00:43 UTC
sparc stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-11-08 19:45:58 UTC
ia64 stable
Comment 11 Lars Wendler (Polynomial-C) gentoo-dev 2015-11-19 14:23:55 UTC
commit 6064b8095a426e5e985ad64632ac58674c9fcea9
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Thu Nov 19 15:23:15 2015

    dev-vcs/git: Removed vulnerable versions (bug #562884).
    
    Package-Manager: portage-2.2.25
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-21 19:35:36 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-05-02 19:40:00 UTC
This issue was resolved and addressed in
 GLSA 201605-01 at https://security.gentoo.org/glsa/201605-01
by GLSA coordinator Kristian Fiskerstrand (K_F).