Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 857792 - <dev-libs/libgit2-{1.3.2,1.4.4}: Shared repository vulnerability
Summary: <dev-libs/libgit2-{1.3.2,1.4.4}: Shared repository vulnerability
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 857795 857798
Blocks: CVE-2022-29187
  Show dependency tree
 
Reported: 2022-07-12 18:49 UTC by Michał Górny
Modified: 2022-07-13 17:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-07-12 18:49:19 UTC
Apparently the same thing as git's CVE-2022-29187.

From changelog:

* This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to [CVE 2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/), now not only is the working directory of a non-bare repository examined for its ownership, but the `.git` directory and the `.git` file (if present) are also examined for their ownership.

* A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in `sudo`.

* A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using `runas Administrator`).
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-07-13 09:04:59 UTC
cleanup done
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-13 17:55:03 UTC
Thanks!