Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 667942 (CVE-2018-17456) - <dev-vcs/git-2.18.1: arbitrary code execution via .gitmodules (CVE-2018-17456)
Summary: <dev-vcs/git-2.18.1: arbitrary code execution via .gitmodules (CVE-2018-17456)
Status: RESOLVED FIXED
Alias: CVE-2018-17456
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://seclists.org/oss-sec/2018/q4/19
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: 667268
  Show dependency tree
 
Reported: 2018-10-07 09:39 UTC by Hanno Böck
Modified: 2018-11-25 01:18 UTC (History)
3 users (show)

See Also:
Package list:
dev-vcs/git-2.18.1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2018-10-07 09:39:09 UTC 
An RCE in Git when checking out submodules has been found:
https://blog.github.com/2018-10-05-git-submodule-vulnerability/
https://seclists.org/oss-sec/2018/q4/19

Upstream fixes in 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1.
This is already bumped.

Our current stable in most archs is 2.18.0, so I believe 2.18.1 or 2.19.1 should be stabilized.
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-10-09 08:33:49 UTC 
amd64 stable
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-09 21:25:13 UTC 
x86 stable
Comment 3 Rolf Eike Beer archtester 2018-10-10 05:16:50 UTC 
sparc stable.
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2018-10-13 06:57:13 UTC 
Stable on alpha.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-13 16:23:04 UTC 
hppa stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-14 09:48:23 UTC 
ppc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-14 10:03:47 UTC 
ppc64 stable
Comment 8 Mart Raudsepp gentoo-dev 2018-10-14 12:07:46 UTC 
arm64 stable, including unlisted new dev-perl/MailTools dep
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-10-14 16:19:42 UTC 
s390/sh stable m68k has no the keyword
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-27 18:56:14 UTC 
ia64 stable
Comment 11 Markus Meier gentoo-dev 2018-10-31 17:16:55 UTC 
arm stable, all arches done.