CVE-2024-25817: Buffer Overflow vulnerability in eza before version 0.18.2, allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects components. The above is fixed in 0.18.2
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6a5011c20e312d598ec79b6bc80fe84fd9b48e6 commit f6a5011c20e312d598ec79b6bc80fe84fd9b48e6 Author: Leonardo Hernández Hernández <leohdz172@proton.me> AuthorDate: 2024-03-08 23:43:12 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-03-08 23:57:57 +0000 sys-apps/eza: add 0.18.6 Bug: https://bugs.gentoo.org/926532 Signed-off-by: Leonardo Hernández Hernández <leohdz172@proton.me> Closes: https://github.com/gentoo/gentoo/pull/35676 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/eza/Manifest | 23 ++++ sys-apps/eza/eza-0.18.6.ebuild | 254 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 277 insertions(+)
Please stable when ready, thanks.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8ce30a090fe76a173bd9ff2b3100ed6b1521420 commit c8ce30a090fe76a173bd9ff2b3100ed6b1521420 Author: Leonardo Hernández Hernández <leohdz172@proton.me> AuthorDate: 2024-03-10 19:18:53 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-03-11 10:47:14 +0000 sys-apps/eza: drop 0.15.3, 0.17.2-r1 Bug: https://bugs.gentoo.org/926532 Signed-off-by: Leonardo Hernández Hernández <leohdz172@proton.me> Closes: https://github.com/gentoo/gentoo/pull/35700 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> sys-apps/eza/Manifest | 31 ----- sys-apps/eza/eza-0.15.3.ebuild | 237 ----------------------------------- sys-apps/eza/eza-0.17.2-r1.ebuild | 254 -------------------------------------- 3 files changed, 522 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=874165db3d0e140c9165e4612647b37bfd94cb80 commit 874165db3d0e140c9165e4612647b37bfd94cb80 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-12-11 12:01:47 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-12-11 12:01:56 +0000 [ GLSA 202412-19 ] eza: Arbitrary Code Execution Bug: https://bugs.gentoo.org/926532 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202412-19.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
This is probably actually caused by bug 923971. The upstream advisory lists, as a reference, https://github.com/eza-community/eza/commit/47c9b90368c49117ba42760bd58acafa3362cbd4 Which is just bumping libgit2. And the attack looks like the same thing described at https://github.com/libgit2/libgit2/commit/e073ceafdba1e632c966a346a38429ea2fd35dd2 per bug 923971. My suspicion is that Gentoo's package has never been vulnerable as it depends on dev-libs/libgit2 and therefore is covered by GLSA 202411-05.
(In reply to Eli Schwartz from comment #5) > My suspicion is that Gentoo's package has never been vulnerable as it > depends on dev-libs/libgit2 and therefore is covered by GLSA 202411-05. Versions before eza-0.17.2-r1 did NOT use the correct environment variable to force the system libgit2. It *looks like* it will try to automagically detect a system libgit2 by default?