Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 774678 (CVE-2021-21300) - <dev-vcs/git-{2.26.3,2.28.1,2.29.3,2.30.2}: Possible code execution during clone (CVE-2021-21300)
Summary: <dev-vcs/git-{2.26.3,2.28.1,2.29.3,2.30.2}: Possible code execution during cl...
Status: RESOLVED FIXED
Alias: CVE-2021-21300
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-07 15:37 UTC by Thomas Deutschmann
Modified: 2021-05-01 00:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2021-03-07 15:37:02 UTC
Incoming details.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2021-03-07 22:56:59 UTC
whissi: ACK; will commit & bump as soon as upstream releases the official tarballs at the end of the embargo.

It would be nice if upstream would include new distfile checksums beyond just the git bundles like this.
Comment 2 Sam James archtester gentoo-dev Security 2021-03-09 18:07:32 UTC
Git v2.30.2 Release Notes
=========================

This release merges up the fixes that appear in v2.17.6, v2.18.5,
v2.19.6, v2.20.5, v2.21.4, v2.22.5, v2.23.4, v2.24.4, v2.25.5,
v2.26.3, v2.27.1, v2.28.1 and v2.29.3 to address the security
issue CVE-2021-21300; see the release notes for these versions
for details.

----------------------------------------------------------------

Git v2.17.6 Release Notes
=========================

This release addresses the security issues CVE-2021-21300.

Fixes since v2.17.5
-------------------

* CVE-2021-21300:
  On case-insensitive file systems with support for symbolic links,
  if Git is configured globally to apply delay-capable clean/smudge
  filters (such as Git LFS), Git could be fooled into running
  remote code during a clone.

Credit for finding and fixing this vulnerability goes to Matheus
Tavares, helped by Johannes Schindelin.
_______________________________________________
Comment 3 John Helmert III gentoo-dev Security 2021-03-09 20:15:13 UTC
Please stabilize when ready.

commit 20cc50422bc11625049fac616f872123ab9d5d1d
Author: Robin H. Johnson <robbat2@gentoo.org>
Date:   Tue Mar 9 12:04:38 2021 -0800

    dev-vcs/git: security bump for CVE-2021-21300

    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

 create mode 100644 dev-vcs/git/git-2.26.3.ebuild
 create mode 100644 dev-vcs/git/git-2.28.1.ebuild
 create mode 100644 dev-vcs/git/git-2.29.3.ebuild
 create mode 100644 dev-vcs/git/git-2.30.2.ebuild
Comment 4 Sam James archtester gentoo-dev Security 2021-03-16 14:42:55 UTC
ping.
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2021-03-19 18:06:30 UTC
amd64 stable
Comment 6 Rolf Eike Beer 2021-03-19 20:08:39 UTC
sparc stable
Comment 7 Sam James archtester gentoo-dev Security 2021-03-22 00:10:27 UTC
ppc64 done
Comment 8 Sam James archtester gentoo-dev Security 2021-03-22 00:11:01 UTC
ppc done
Comment 9 Rolf Eike Beer 2021-03-22 18:48:03 UTC
hppa stable
Comment 10 Sam James archtester gentoo-dev Security 2021-03-25 23:16:10 UTC
x86 done
Comment 11 Sam James archtester gentoo-dev Security 2021-03-26 11:34:37 UTC
arm64 done
Comment 12 Agostino Sarubbo gentoo-dev 2021-03-26 11:50:55 UTC
s390 stable
Comment 13 Sam James archtester gentoo-dev Security 2021-03-28 20:20:05 UTC
arm done

all arches done
Comment 14 John Helmert III gentoo-dev Security 2021-03-28 20:38:07 UTC
Please cleanup.
Comment 15 Larry the Git Cow gentoo-dev 2021-04-30 22:18:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbc7e5e980dae214ffdb49ff6cc593b226b21cec

commit bbc7e5e980dae214ffdb49ff6cc593b226b21cec
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-04-30 22:17:49 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-04-30 22:17:49 +0000

    dev-vcs/git: security cleanup
    
    Bug: https://bugs.gentoo.org/774678
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-vcs/git/Manifest          |   3 -
 dev-vcs/git/git-2.26.2.ebuild | 714 ------------------------------------------
 2 files changed, 717 deletions(-)
Comment 16 Thomas Deutschmann gentoo-dev Security 2021-04-30 22:18:36 UTC
New GLSA request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2021-05-01 00:01:10 UTC
This issue was resolved and addressed in
 GLSA 202104-01 at https://security.gentoo.org/glsa/202104-01
by GLSA coordinator Thomas Deutschmann (whissi).