CVE-2018-1000021 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000021): GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack). Maintainers 2.16.1 is already in tree, please call for stabilization when ready. Thank you
Arches please stabilize =dev-vcs/git-2.16.1
x86 stable
amd64 stable
commit 3e39d2d249c1dd97f63c9291160384a3a2844036 Author: Rolf Eike Beer <eike@sf-mail.de> Date: Fri Feb 16 09:23:06 2018 +0100 dev-vcs/git: stable 2.16.1 for sparc, bug #647446
ia64 stable
hppa stable
arm64 stable
Stable on alpha.
arm stable
I get test failures in t5000 which I remember seeing before. Stabilized anyway... ppc/ppc64 done
@Maintainers please remove vulnerable versions. GLSA Request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10695ef636e1cfd7cc146a76ed8fab7f9ef38422 commit 10695ef636e1cfd7cc146a76ed8fab7f9ef38422 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2018-03-12 18:54:58 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2018-03-12 18:54:58 +0000 dev-vcs/git: Security cleanup. Bug: https://bugs.gentoo.org/647446 Package-Manager: Portage-2.3.24, Repoman-2.3.6 dev-vcs/git/Manifest | 12 - dev-vcs/git/git-2.13.6.ebuild | 678 ---------------------------------------- dev-vcs/git/git-2.14.3.ebuild | 696 ------------------------------------------ dev-vcs/git/git-2.15.1.ebuild | 696 ------------------------------------------ dev-vcs/git/git-2.16.0.ebuild | 696 ------------------------------------------ 5 files changed, 2778 deletions(-)}
This falls into hardening and not interacting with malicious or untrusted Git servers. Second, MITM would compromise much more than just this and it is highly advisable to use a secured protocol when cloning,pushing, etc. While the technical fix will address one of these it does not address all.