FEDORA-2019-c841bcc3b9 created by tmz 7 months ago for Fedora 31
stable

Per the upstream release announcement¹, this release fixes "various security flaws, which allowed an attacker to overwrite arbitrary paths, remotely execute code, and/or overwrite files in the .git/ directory etc. See the release notes attached for the list for their descriptions and CVE identifiers."

Refer to the 2.14.6 release notes² for details on these vulnerabilities and the 2.24.0 release notes³ for details on other improvements and fixes since 2.23.0.

¹ https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/
² https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.14.6.txt
³ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.24.0.txt

How to install

sudo dnf upgrade --advisory=FEDORA-2019-c841bcc3b9

This update has been submitted for testing by tmz.

7 months ago

This update's test gating status has been changed to 'waiting'.

7 months ago

This update's test gating status has been changed to 'ignored'.

7 months ago

This update has been pushed to testing.

7 months ago

tmz edited this update.

7 months ago

tmz edited this update.

7 months ago
User Icon jlanda provided feedback 7 months ago
karma
User Icon jlanda provided feedback 7 months ago
karma
User Icon atim commented & provided feedback 7 months ago
karma

LGTM some basic tests.

This update can be pushed to stable now if the maintainer wishes

7 months ago
User Icon jayjayjazz commented & provided feedback 7 months ago
karma

WFM on x86_64.

User Icon jayjayjazz commented & provided feedback 7 months ago
karma

WFM on x86_64.

User Icon jayjayjazz commented & provided feedback 7 months ago
karma

WFM on x86_64.

User Icon elxreno commented & provided feedback 7 months ago
karma

WFM.

User Icon elxreno commented & provided feedback 7 months ago
karma

WFM.

User Icon pwalter commented & provided feedback 7 months ago
karma

Works

User Icon walters commented & provided feedback 7 months ago

This is a pretty important security update - any reason not to push the button to ship it?

User Icon tmz commented & provided feedback 7 months ago

Yes. It's a bump from 2.23.0 to 2.24.1 (which was in the works before these issues arose). While 5 of the 9 issues fixed here are rated as high severity (per https://github.com/git/git/security/advisories), only one of those 5 has the potential to affect Linux users -- and even then only where git is cloning to an NTFS networked drive with short names enabled.

So the risk to Fedora users is considerably lower than it is to Windows git users. (The severity is set to high per the security team's initial bug assessments, but I suspect that after more thorough review that might be lowered -- but the Fedora updates should all be pushed to stable before then.)

Thus I feel comfortable letting this spend a few more days in testing to ensure we don't run into any issues in the 2.23.0 -> 2.24.1 bump. I really don't expect any thanks to the care which upstream takes to avoid regressions, but I'd rather not cause anyone trouble which can be avoided by a little more testing.

Thanks for the poke in any case. I appreciate the nudge to ensure this wasn't an unintentional delay!

User Icon tmz commented & provided feedback 7 months ago

Yes. It's a bump from 2.23.0 to 2.24.1 (which was in the works before these issues arose). While 5 of the 9 issues fixed here are rated as high severity (per https://github.com/git/git/security/advisories), only one of those 5 has the potential to affect Linux users -- and even then only where git is cloning to an NTFS networked drive with short names enabled.

So the risk to Fedora users is considerably lower than it is to Windows git users. (The severity is set to high per the security team's initial bug assessments, but I suspect that after more thorough review that might be lowered -- but the Fedora updates should all be pushed to stable before then.)

Thus I feel comfortable letting this spend a few more days in testing to ensure we don't run into any issues in the 2.23.0 -> 2.24.1 bump. I really don't expect any thanks to the care which upstream takes to avoid regressions, but I'd rather not cause anyone trouble which can be avoided by a little more testing.

Thanks for the poke in any case. I appreciate the nudge to ensure this wasn't an unintentional delay!

User Icon cairo provided feedback 7 months ago
karma
User Icon smithp commented & provided feedback 7 months ago
karma

+1

This update has been submitted for stable by tmz.

7 months ago

This update has been pushed to stable.

7 months ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
7
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
9
Stable by Time
14 days
Dates
submitted
7 months ago
in testing
7 months ago
in stable
7 months ago
modified
7 months ago
BZ#1766626 BR on jgit is conditionalised
0
0
BZ#1768064 Extra whitespace in 'git pull' when using Git 2.22 and above on Fedora 31 server
0
0
BZ#1781127 CVE-2019-1387 git: Remote code execution in recursive clones with nested submodules
0
0
BZ#1781143 CVE-2019-1349 git: Recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/
0
0
BZ#1781953 CVE-2019-1348 git: Arbitrary path overwriting via export-marks in-stream command feature
0
0
BZ#1781954 CVE-2019-1387 git: remote code execution in recursive clones with nested submodules [fedora-all]
0
0
BZ#1781955 CVE-2019-1348 git: Arbitrary path overwriting via export-marks command option [fedora-all]
0
0
BZ#1781957 CVE-2019-1349 git: recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/ [fedora-all]
0
0
BZ#1781958 CVE-2019-1350 git: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone
0
0
BZ#1781959 CVE-2019-1350 git: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone [fedora-all]
0
0
BZ#1781960 CVE-2019-1351 git: Git mistakes some paths for relative paths allowing writing outside of the worktree while cloning
0
0
BZ#1781961 CVE-2019-1351 git: Git mistakes some paths for relative paths allowing writing outside of the worktree while cloning [fedora-all]
0
0
BZ#1781963 CVE-2019-1352 git: Files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams
0
0
BZ#1781964 CVE-2019-1352 git: Files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams [fedora-all]
0
0
BZ#1781966 CVE-2019-1353 git: NTFS protections inactive when running Git in the Windows Subsystem for Linux
0
0
BZ#1781967 CVE-2019-1353 git: NTFS protections inactive when running Git in the Windows Subsystem for Linux [fedora-all]
0
0
BZ#1781968 CVE-2019-1354 git: Git does not refuse to write out tracked files with backlashes in filenames
0
0
BZ#1781969 CVE-2019-1354 git: Git does not refuse to write out tracked files with backlashes in filenames [fedora-all]
0
0
BZ#1781971 CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent
0
0
BZ#1781972 CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]
0
0

Automated Test Results