FEDORA-2018-080a3d7866 created by tmz 2 years ago for Fedora 27
stable

Upstream security fixes related to .gitmodules handling. From the upstream announcement:

* Submodule "names" come from the untrusted .gitmodules file, but we
  blindly append them to $GIT_DIR/modules to create our on-disk repo
  paths. This means you can do bad things by putting "../" into the
  name. We now enforce some rules for submodule names which will cause
  Git to ignore these malicious names (CVE-2018-11235).

  Credit for finding this vulnerability and the proof of concept from
  which the test script was adapted goes to Etienne Stalmans.

* It was possible to trick the code that sanity-checks paths on NTFS
  into reading random piece of memory (CVE-2018-11233).

Also fix a segfault in rev-parse with invalid input (#1581678) and install contrib/diff-highlight (#1550251).

How to install

sudo dnf upgrade --advisory=FEDORA-2018-080a3d7866

This update has been submitted for testing by tmz.

2 years ago

This update has been pushed to testing.

2 years ago

tmz edited this update.

New build(s):

  • git-2.14.4-1.fc27

Removed build(s):

  • git-2.14.3-4.fc27

Karma has been reset.

2 years ago

This update has been submitted for testing by tmz.

2 years ago

tmz edited this update.

2 years ago

tmz edited this update.

2 years ago

tmz edited this update.

2 years ago

This update has been pushed to testing.

2 years ago
User Icon leoluk commented & provided feedback 2 years ago
karma

Works fine, fixes critical security issue

User Icon tyrola provided feedback 2 years ago
karma
karma

This update has been submitted for batched by tmz.

2 years ago

This update has been submitted for stable by tmz.

2 years ago
User Icon cserpentis commented & provided feedback 2 years ago
karma

works for me in a VM

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
4
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
modified
2 years ago
BZ#1550251 diff-highlight needs building as part of the git package build
0
0
BZ#1581678 git: Null pointer dereference in git rev-parse with unknown hash
0
0
BZ#1583862 CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository
0
0
BZ#1583878 CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository [fedora-all]
0
0
BZ#1583888 CVE-2018-11233 git: path sanity-checks on NTFS can read arbitrary memory
0
0
BZ#1583890 CVE-2018-11233 git: path sanity-checks on NTFS can read arbitrary memory [fedora-all]
0
0

Automated Test Results