857792 – <dev-libs/libgit2-{1.3.2,1.4.4}: Shared repository vulnerability

Bug 857792 - <dev-libs/libgit2-{1.3.2,1.4.4}: Shared repository vulnerability

Summary: <dev-libs/libgit2-{1.3.2,1.4.4}: Shared repository vulnerability

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa?]
Keywords:

Depends on:	857795 857798
Blocks:	CVE-2022-29187
	Show dependency tree

Reported:	2022-07-12 18:49 UTC by Michał Górny
Modified:	2022-07-13 17:55 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2022-24765
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2022-07-12 18:49:19 UTC

Apparently the same thing as git's CVE-2022-29187.

From changelog:

* This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to [CVE 2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/), now not only is the working directory of a non-bare repository examined for its ownership, but the `.git` directory and the `.git` file (if present) are also examined for their ownership.

* A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in `sudo`.

* A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using `runas Administrator`).

Comment 1 Michał Górny archtester

2022-07-13 09:04:59 UTC

cleanup done

Comment 2 John Helmert III archtester

2022-07-13 17:55:03 UTC

Thanks!