diff options
author | Sylvain Beucler <beuc@beuc.net> | 2022-12-14 19:49:13 +0100 |
---|---|---|
committer | Sylvain Beucler <beuc@beuc.net> | 2022-12-14 19:49:13 +0100 |
commit | 725291ca5f94ed23481ba10d6665e5aaa42d7216 (patch) | |
tree | 763d5004f040a0f65e34fefa9d50d8bb76f12d92 | |
parent | 02f7e3e4c68c34b706a344e7c12e8ceeacb60037 (diff) |
DLA-3239 for git
-rw-r--r-- | english/lts/security/2022/dla-3239-2.data | 9 | ||||
-rw-r--r-- | english/lts/security/2022/dla-3239-2.wml | 72 | ||||
-rw-r--r-- | english/lts/security/2022/dla-3239.data | 10 | ||||
-rw-r--r-- | english/lts/security/2022/dla-3239.wml | 67 |
4 files changed, 158 insertions, 0 deletions
diff --git a/english/lts/security/2022/dla-3239-2.data b/english/lts/security/2022/dla-3239-2.data new file mode 100644 index 00000000000..e77c83b09af --- /dev/null +++ b/english/lts/security/2022/dla-3239-2.data @@ -0,0 +1,9 @@ +<define-tag pagetitle>DLA-3239-2 git</define-tag> +<define-tag report_date>2022-12-14</define-tag> +<define-tag packages>git</define-tag> +<define-tag isvulnerable>yes</define-tag> +<define-tag fixed>yes</define-tag> +<define-tag fixed-section>no</define-tag> + +#use wml::debian::security + diff --git a/english/lts/security/2022/dla-3239-2.wml b/english/lts/security/2022/dla-3239-2.wml new file mode 100644 index 00000000000..2fabde437b3 --- /dev/null +++ b/english/lts/security/2022/dla-3239-2.wml @@ -0,0 +1,72 @@ +<define-tag description>LTS security update</define-tag> +<define-tag moreinfo> +<p>In rare conditions, the previous git update released as DLA-3239-1 +could generate a segmentation fault, which prevented its availability +on armhf architecture. This update addresses this issue. For reference +the original advisory text follows.</p> + +<p>Multiple issues were found in Git, a distributed revision control +system. An attacker may cause other local users into executing +arbitrary commands, leak information from the local filesystem, and +bypass restricted shell. +<p><b>Note</b>: Due to new security checks, access to repositories owned and +accessed by different local users may now be rejected by Git; in case +changing ownership is not practical, git displays a way to bypass +these checks using the new <q>safe.directory</q> configuration entry.</p> + +<ul> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2022-24765">CVE-2022-24765</a> + + <p>Git is not checking the ownership of directories in a local + multi-user system when running commands specified in the local + repository configuration. This allows the owner of the repository + to cause arbitrary commands to be executed by other users who + access the repository.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2022-29187">CVE-2022-29187</a> + + <p>An unsuspecting user could still be affected by the issue reported + in <a href="https://security-tracker.debian.org/tracker/CVE-2022-24765">CVE-2022-24765</a>, for example when navigating as root into a + shared tmp directory that is owned by them, but where an attacker + could create a git repository.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2022-39253">CVE-2022-39253</a> + + <p>Exposure of sensitive information to a malicious actor. When + performing a local clone (where the source and target of the clone + are on the same volume), Git copies the contents of the source's + `$GIT_DIR/objects` directory into the destination by either + creating hardlinks to the source contents, or copying them (if + hardlinks are disabled via `--no-hardlinks`). A malicious actor + could convince a victim to clone a repository with a symbolic link + pointing at sensitive information on the victim's machine.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2022-39260">CVE-2022-39260</a> + + <p>`git shell` improperly uses an `int` to represent the number of + entries in the array, allowing a malicious actor to intentionally + overflow the return value, leading to arbitrary heap + writes. Because the resulting array is then passed to `execv()`, + it is possible to leverage this attack to gain remote code + execution on a victim machine.</p></li> + +</ul> + +<p>For Debian 10 buster, this problem has been fixed in version +1:2.20.1-2+deb10u6.</p> + +<p>We recommend that you upgrade your git packages.</p> + +<p>For the detailed security status of git please refer to +its security tracker page at: +<a href="https://security-tracker.debian.org/tracker/git">https://security-tracker.debian.org/tracker/git</a></p> + +<p>Further information about Debian LTS security advisories, how to apply +these updates to your system and frequently asked questions can be +found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p> +</define-tag> + +# do not modify the following line +#include "$(ENGLISHDIR)/lts/security/2022/dla-3239-2.data" +# $Id: $ diff --git a/english/lts/security/2022/dla-3239.data b/english/lts/security/2022/dla-3239.data new file mode 100644 index 00000000000..bd1a1827f00 --- /dev/null +++ b/english/lts/security/2022/dla-3239.data @@ -0,0 +1,10 @@ +<define-tag pagetitle>DLA-3239-1 git</define-tag> +<define-tag report_date>2022-12-14</define-tag> +<define-tag secrefs>CVE-2022-24765 CVE-2022-29187 CVE-2022-39253 CVE-2022-39260 Bug#1014848 Bug#1022046</define-tag> +<define-tag packages>git</define-tag> +<define-tag isvulnerable>yes</define-tag> +<define-tag fixed>yes</define-tag> +<define-tag fixed-section>no</define-tag> + +#use wml::debian::security + diff --git a/english/lts/security/2022/dla-3239.wml b/english/lts/security/2022/dla-3239.wml new file mode 100644 index 00000000000..c7372c5d5ce --- /dev/null +++ b/english/lts/security/2022/dla-3239.wml @@ -0,0 +1,67 @@ +<define-tag description>LTS security update</define-tag> +<define-tag moreinfo> +<p>Multiple issues were found in Git, a distributed revision control +system. An attacker may cause other local users into executing +arbitrary commands, leak information from the local filesystem, and +bypass restricted shell. +<p><b>Note</b>: Due to new security checks, access to repositories owned and +accessed by different local users may now be rejected by Git; in case +changing ownership is not practical, git displays a way to bypass +these checks using the new <q>safe.directory</q> configuration entry.</p> + +<ul> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2022-24765">CVE-2022-24765</a> + + <p>Git is not checking the ownership of directories in a local + multi-user system when running commands specified in the local + repository configuration. This allows the owner of the repository + to cause arbitrary commands to be executed by other users who + access the repository.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2022-29187">CVE-2022-29187</a> + + <p>An unsuspecting user could still be affected by the issue reported + in <a href="https://security-tracker.debian.org/tracker/CVE-2022-24765">CVE-2022-24765</a>, for example when navigating as root into a + shared tmp directory that is owned by them, but where an attacker + could create a git repository.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2022-39253">CVE-2022-39253</a> + + <p>Exposure of sensitive information to a malicious actor. When + performing a local clone (where the source and target of the clone + are on the same volume), Git copies the contents of the source's + `$GIT_DIR/objects` directory into the destination by either + creating hardlinks to the source contents, or copying them (if + hardlinks are disabled via `--no-hardlinks`). A malicious actor + could convince a victim to clone a repository with a symbolic link + pointing at sensitive information on the victim's machine.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2022-39260">CVE-2022-39260</a> + + <p>`git shell` improperly uses an `int` to represent the number of + entries in the array, allowing a malicious actor to intentionally + overflow the return value, leading to arbitrary heap + writes. Because the resulting array is then passed to `execv()`, + it is possible to leverage this attack to gain remote code + execution on a victim machine.</p></li> + +</ul> + +<p>For Debian 10 buster, these problems have been fixed in version +1:2.20.1-2+deb10u5.</p> + +<p>We recommend that you upgrade your git packages.</p> + +<p>For the detailed security status of git please refer to +its security tracker page at: +<a href="https://security-tracker.debian.org/tracker/git">https://security-tracker.debian.org/tracker/git</a></p> + +<p>Further information about Debian LTS security advisories, how to apply +these updates to your system and frequently asked questions can be +found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p> +</define-tag> + +# do not modify the following line +#include "$(ENGLISHDIR)/lts/security/2022/dla-3239.data" +# $Id: $ |