Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 647446 (CVE-2018-1000021) - <dev-vcs/git-2.16.0: Input validation error
Summary: <dev-vcs/git-2.16.0: Input validation error
Status: RESOLVED FIXED
Alias: CVE-2018-1000021
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-12 19:14 UTC by GLSAMaker/CVETool Bot
Modified: 2018-07-27 21:30 UTC (History)
2 users (show)

See Also:
Package list:
=dev-vcs/git-2.16.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-02-12 19:14:31 UTC
CVE-2018-1000021 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000021):
  GIT version 2.15.1 and earlier contains a Input Validation Error
  vulnerability in Client that can result in problems including messing up
  terminal configuration to RCE. This attack appear to be exploitable via The
  user must interact with a malicious git server, (or have their traffic
  modified in a MITM attack).


Maintainers 2.16.1 is already in tree, please call for stabilization when ready.

Thank you
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2018-02-14 13:28:48 UTC
Arches please stabilize =dev-vcs/git-2.16.1
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-14 14:30:57 UTC
x86 stable
Comment 3 Jason Zaman gentoo-dev 2018-02-14 16:58:11 UTC
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-17 13:02:21 UTC
commit 3e39d2d249c1dd97f63c9291160384a3a2844036
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Fri Feb 16 09:23:06 2018 +0100

    dev-vcs/git: stable 2.16.1 for sparc, bug #647446
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-17 21:46:32 UTC
ia64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-25 11:58:57 UTC
hppa stable
Comment 7 Mart Raudsepp gentoo-dev 2018-03-02 23:56:00 UTC
arm64 stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-05 13:59:16 UTC
Stable on alpha.
Comment 9 Markus Meier gentoo-dev 2018-03-06 19:39:04 UTC
arm stable
Comment 10 Matt Turner gentoo-dev 2018-03-12 02:08:58 UTC
I get test failures in t5000 which I remember seeing before. Stabilized anyway...

ppc/ppc64 done
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-12 17:58:45 UTC
@Maintainers please remove vulnerable versions.

GLSA Request filed.
Comment 12 Larry the Git Cow gentoo-dev 2018-03-12 18:55:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10695ef636e1cfd7cc146a76ed8fab7f9ef38422

commit 10695ef636e1cfd7cc146a76ed8fab7f9ef38422
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2018-03-12 18:54:58 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2018-03-12 18:54:58 +0000

    dev-vcs/git: Security cleanup.
    
    Bug: https://bugs.gentoo.org/647446
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 dev-vcs/git/Manifest          |  12 -
 dev-vcs/git/git-2.13.6.ebuild | 678 ----------------------------------------
 dev-vcs/git/git-2.14.3.ebuild | 696 ------------------------------------------
 dev-vcs/git/git-2.15.1.ebuild | 696 ------------------------------------------
 dev-vcs/git/git-2.16.0.ebuild | 696 ------------------------------------------
 5 files changed, 2778 deletions(-)}
Comment 13 Markus Meier gentoo-dev 2018-03-13 17:52:58 UTC
arm stable
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2018-03-26 16:39:36 UTC
This falls into hardening and not interacting with malicious or untrusted Git servers. Second, MITM would compromise much more than just this and it is highly advisable to use a secured protocol when cloning,pushing, etc.

While the technical fix will address one of these it does not address all.