Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 659288 (CVE-2018-10857, CVE-2018-10859) - <dev-vcs/git-annex-8.20200617: private data exposure (CVE-2018-{10857,10859})
Summary: <dev-vcs/git-annex-8.20200617: private data exposure (CVE-2018-{10857,10859})
Status: RESOLVED FIXED
Alias: CVE-2018-10857, CVE-2018-10859
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low trivial (vote)
Assignee: Gentoo Security
URL: https://git-annex.branchable.com/secu...
Whiteboard: ~4 [cleanup cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2018-06-26 19:26 UTC by Florian Schuhmacher
Modified: 2020-08-06 14:47 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-06-26 19:26:15 UTC
CVE-2018-10857: Some uses of git-annex were vulnerable to a private data
exposure and exfiltration attack. It could expose the content of files
located outside the git-annex repository, or content from a private web
server on localhost or the LAN. Joey Hess discovered this attack.

CVE-2018-10859: A malicious server for a special remote could
trick git-annex into decrypting a file that was encrypted to the user's gpg
key. This attack could be used to expose encrypted data that was never
stored in git-annex. Daniel Dent discovered this attack in collaboration
with Joey Hess.

git-annex version 6.20180626 fixes these problems.

Gentoo Security Scout
Florian Schuhmacher
Comment 2 Sam James archtester gentoo-dev Security 2020-05-05 22:44:06 UTC
@maintainer(s): ping
Comment 3 Larry the Git Cow gentoo-dev 2020-08-01 08:08:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=928f50920afc24e8b5783ac59a41cb6b6a4358aa

commit 928f50920afc24e8b5783ac59a41cb6b6a4358aa
Author:     Jack Todaro <solpeth@posteo.org>
AuthorDate: 2020-07-30 00:46:15 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-08-01 08:02:12 +0000

    dev-vcs/git-annex: bump up to 8.20200617
    
    Bug: https://bugs.gentoo.org/659288
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Jack Todaro <solpeth@posteo.org>
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-vcs/git-annex/Manifest                    |   1 +
 dev-vcs/git-annex/git-annex-8.20200617.ebuild | 160 ++++++++++++++++++++++++++
 dev-vcs/git-annex/metadata.xml                |   3 +
 3 files changed, 164 insertions(+)
Comment 4 Sam James archtester gentoo-dev Security 2020-08-03 07:46:49 UTC
Thanks! Please cleanup when ready.
Comment 5 Larry the Git Cow gentoo-dev 2020-08-03 22:58:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7af25e0ef157fc58c8d99541013f8bae68adddd

commit a7af25e0ef157fc58c8d99541013f8bae68adddd
Author:     Jack Todaro <solpeth@posteo.org>
AuthorDate: 2020-08-03 20:28:49 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-08-03 22:58:17 +0000

    dev-vcs/git-annex: remove old
    
    Bug: https://bugs.gentoo.org/659288
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Jack Todaro <solpeth@posteo.org>
    Closes: https://github.com/gentoo/gentoo/pull/16987
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-vcs/git-annex/Manifest                         |   1 -
 .../files/git-annex-6.20160114-QC-2.8.2.patch      |  16 --
 .../files/git-annex-6.20161210-directory-1.3.patch |   9 --
 .../files/git-annex-6.20170101-crypto-api.patch    |   8 -
 dev-vcs/git-annex/git-annex-6.20170818-r1.ebuild   | 161 ---------------------
 dev-vcs/git-annex/metadata.xml                     |   2 -
 6 files changed, 197 deletions(-)
Comment 6 Jack Todaro 2020-08-06 09:47:34 UTC
(In reply to Sam James from comment #4)
> Thanks! Please cleanup when ready.
You're welcome! Are we able to now mark this as resolved? Clean up was performed in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7af25e0ef157fc58c8d99541013f8bae68adddd
Comment 7 Sam James archtester gentoo-dev Security 2020-08-06 14:47:52 UTC
(In reply to Jack Todaro from comment #6)
> (In reply to Sam James from comment #4)
> > Thanks! Please cleanup when ready.
> You're welcome! Are we able to now mark this as resolved? Clean up was
> performed in
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=a7af25e0ef157fc58c8d99541013f8bae68adddd

Yep, all done! :)

~ package, so no glsa, closing.