Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 926532 (CVE-2024-25817) - <sys-apps/eza-0.18.6: local arbitrary code execution via .git/HEAD and .git/objects components
Summary: <sys-apps/eza-0.18.6: local arbitrary code execution via .git/HEAD and .git/o...
Status: RESOLVED FIXED
Alias: CVE-2024-25817
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/advisories/GHSA-3q...
Whiteboard: B2 [glsa+]
Keywords: PullRequest
Depends on: 926534
Blocks:
  Show dependency tree
 
Reported: 2024-03-08 22:38 UTC by Christopher Fore
Modified: 2024-12-13 09:34 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2024-03-08 22:38:17 UTC
CVE-2024-25817:

Buffer Overflow vulnerability in eza before version 0.18.2, allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects components.


The above is fixed in 0.18.2
Comment 1 Larry the Git Cow gentoo-dev 2024-03-08 23:58:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6a5011c20e312d598ec79b6bc80fe84fd9b48e6

commit f6a5011c20e312d598ec79b6bc80fe84fd9b48e6
Author:     Leonardo Hernández Hernández <leohdz172@proton.me>
AuthorDate: 2024-03-08 23:43:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-08 23:57:57 +0000

    sys-apps/eza: add 0.18.6
    
    Bug: https://bugs.gentoo.org/926532
    Signed-off-by: Leonardo Hernández Hernández <leohdz172@proton.me>
    Closes: https://github.com/gentoo/gentoo/pull/35676
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/eza/Manifest          |  23 ++++
 sys-apps/eza/eza-0.18.6.ebuild | 254 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 277 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-03-08 23:59:55 UTC
Please stable when ready, thanks.
Comment 3 Larry the Git Cow gentoo-dev 2024-03-11 10:50:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8ce30a090fe76a173bd9ff2b3100ed6b1521420

commit c8ce30a090fe76a173bd9ff2b3100ed6b1521420
Author:     Leonardo Hernández Hernández <leohdz172@proton.me>
AuthorDate: 2024-03-10 19:18:53 +0000
Commit:     Petr Vaněk <arkamar@gentoo.org>
CommitDate: 2024-03-11 10:47:14 +0000

    sys-apps/eza: drop 0.15.3, 0.17.2-r1
    
    Bug: https://bugs.gentoo.org/926532
    Signed-off-by: Leonardo Hernández Hernández <leohdz172@proton.me>
    Closes: https://github.com/gentoo/gentoo/pull/35700
    Signed-off-by: Petr Vaněk <arkamar@gentoo.org>

 sys-apps/eza/Manifest             |  31 -----
 sys-apps/eza/eza-0.15.3.ebuild    | 237 -----------------------------------
 sys-apps/eza/eza-0.17.2-r1.ebuild | 254 --------------------------------------
 3 files changed, 522 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2024-12-11 12:01:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=874165db3d0e140c9165e4612647b37bfd94cb80

commit 874165db3d0e140c9165e4612647b37bfd94cb80
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-12-11 12:01:47 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-12-11 12:01:56 +0000

    [ GLSA 202412-19 ] eza: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/926532
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202412-19.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 5 Eli Schwartz gentoo-dev 2024-12-13 00:52:03 UTC
This is probably actually caused by bug 923971. The upstream advisory lists, as a reference, https://github.com/eza-community/eza/commit/47c9b90368c49117ba42760bd58acafa3362cbd4

Which is just bumping libgit2. And the attack looks like the same thing described at https://github.com/libgit2/libgit2/commit/e073ceafdba1e632c966a346a38429ea2fd35dd2 per bug 923971.

My suspicion is that Gentoo's package has never been vulnerable as it depends on dev-libs/libgit2 and therefore is covered by GLSA 202411-05.
Comment 6 Eli Schwartz gentoo-dev 2024-12-13 09:34:11 UTC
(In reply to Eli Schwartz from comment #5)
> My suspicion is that Gentoo's package has never been vulnerable as it
> depends on dev-libs/libgit2 and therefore is covered by GLSA 202411-05.

Versions before eza-0.17.2-r1 did NOT use the correct environment variable to force the system libgit2. It *looks like* it will try to automagically detect a system libgit2 by default?