Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 718710 (CVE-2020-11008) - <dev-vcs/git-{2.23.3,2.24.3,2.25.4}: Crafted URL could leak credential information (CVE-2020-11008)
Summary: <dev-vcs/git-{2.23.3,2.24.3,2.25.4}: Crafted URL could leak credential inform...
Status: RESOLVED FIXED
Alias: CVE-2020-11008
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://raw.githubusercontent.com/git...
Whiteboard: A4 [glsa+ cve]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-04-21 08:04 UTC by Sam James
Modified: 2020-06-20 00:53 UTC (History)
2 users (show)

See Also:
Package list:
=dev-vcs/git-2.23.3 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86 =dev-vcs/git-2.24.3 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86 =dev-vcs/git-2.25.4 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86 =dev-vcs/git-2.26.2 amd64 arm arm64 hppa ppc ppc64 s390 sparc x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-21 08:04:49 UTC
From release notes:
   With a crafted URL that contains a newline or empty host, or lacks
   a scheme, the credential helper machinery can be fooled into
   providing credential information that is not appropriate for the
   protocol in use and host being contacted.

   Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
   credentials are not for a host of the attacker's choosing; instead,
   they are for some unspecified host (based on how the configured
   credential helper handles an absent "host" parameter).

   The attack has been made impossible by refusing to work with
   under-specified credential patterns.

----
Fixed in (relevant versions for us): 2.23.4, 2.24.3, 2.25.4, 2.26.2.

Thanks to Polynomial-C for pinging about this, he was already doing bumps!
Comment 1 Larry the Git Cow gentoo-dev 2020-04-21 08:24:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63f418f2391e7cb6048b25c39af0cbb6d2a66947

commit 63f418f2391e7cb6048b25c39af0cbb6d2a66947
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-04-21 08:23:09 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-04-21 08:24:40 +0000

    dev-vcs/git: Security bump to ver 2.23.4, 2.24.3, 2.25.4 and 2.26.2
    
    Bug: https://bugs.gentoo.org/718710
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-vcs/git/Manifest          |  12 +
 dev-vcs/git/git-2.23.3.ebuild | 725 +++++++++++++++++++++++++++++++++++++++++
 dev-vcs/git/git-2.24.3.ebuild | 728 ++++++++++++++++++++++++++++++++++++++++++
 dev-vcs/git/git-2.25.4.ebuild | 728 ++++++++++++++++++++++++++++++++++++++++++
 dev-vcs/git/git-2.26.2.ebuild | 728 ++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 2921 insertions(+)
Comment 2 NATTkA bot gentoo-dev 2020-04-21 09:36:23 UTC
Unable to check for sanity:

> no match for package: =dev-vcs/git-2.23.4
Comment 3 Sam James archtester gentoo-dev Security 2020-04-21 20:52:55 UTC
arm64 stable
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 13:45:50 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-04-23 06:22:22 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-04-23 06:25:43 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-04-23 06:26:53 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-04-23 06:27:41 UTC
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-04-23 06:28:24 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-04-23 06:30:23 UTC
x86 stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2020-04-23 14:47:13 UTC
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-04-23 15:18:37 UTC
This issue was resolved and addressed in
 GLSA 202004-13 at https://security.gentoo.org/glsa/202004-13
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 13 Thomas Deutschmann gentoo-dev Security 2020-04-23 15:19:09 UTC
Re-opening for remaining architectures.
Comment 14 Rolf Eike Beer 2020-04-26 09:18:08 UTC
hppa stable
Comment 15 Sam James archtester gentoo-dev Security 2020-04-28 19:41:42 UTC
@maintainer(s), please cleanup
Comment 16 Larry the Git Cow gentoo-dev 2020-04-29 08:38:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6177833229b03609d2a0073c4839a208dec18f5c

commit 6177833229b03609d2a0073c4839a208dec18f5c
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-04-29 08:38:35 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-04-29 08:38:53 +0000

    dev-vcs/git: Security cleanup
    
    Bug: https://bugs.gentoo.org/718710
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-vcs/git/Manifest             |  27 --
 dev-vcs/git/git-2.23.1-r1.ebuild | 725 --------------------------------------
 dev-vcs/git/git-2.23.2.ebuild    | 725 --------------------------------------
 dev-vcs/git/git-2.24.1.ebuild    | 728 ---------------------------------------
 dev-vcs/git/git-2.24.2.ebuild    | 728 ---------------------------------------
 dev-vcs/git/git-2.25.1.ebuild    | 728 ---------------------------------------
 dev-vcs/git/git-2.25.2.ebuild    | 728 ---------------------------------------
 dev-vcs/git/git-2.25.3.ebuild    | 728 ---------------------------------------
 dev-vcs/git/git-2.26.0.ebuild    | 728 ---------------------------------------
 dev-vcs/git/git-2.26.1.ebuild    | 728 ---------------------------------------
 10 files changed, 6573 deletions(-)