[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules

Launchpad Bug Tracker 1774061 at bugs.launchpad.net
Tue Jun 5 21:09:07 UTC 2018 

This bug was fixed in the package git - 1:2.14.1-1ubuntu4.1

---------------
git (1:2.14.1-1ubuntu4.1) artful-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via
    submodule names in .gitsubmodules.
    - 0001-submodule-config-verify-submodule-names-as-paths.patch
    - 012-fsck-simplify-.git-check.patch
    - 013-fsck-actually-fsck-blob-data.patch
    - 014-fsck-detect-gitmodules-files.patch
    - 015-fsck-check-.gitmodules-content.patch
    - 016-fsck-call-fsck_finish-after-fscking-objects.patch
    - 017-unpack-objects-call-fsck_finish-after-fscking-object.patch
    - 018-index-pack-check-.gitmodules-files-with-strict.patch
    - CVE-2018-11235 (LP: #1774061)
  * SECURITY UPDATE: out-of-bounds memory access when sanity-checking
    pathnames on NTFS
    - 0002-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
    - CVE-2018-11233
  * Do not allow .gitmodules to be a symlink:
    - 003-is_hfs_dotgit-match-other-.git-files.patch
    - 004-is_ntfs_dotgit-match-other-.git-files.patch
    - 005-is_-hfs-ntfs-_dotgitmodules-add-tests.patch
    - 006-skip_prefix-add-case-insensitive-variant.patch
    - 007-verify_path-drop-clever-fallthrough.patch
    - 008-verify_dotfile-mention-case-insensitivity-in-comment.patch
    - 009-update-index-stat-updated-files-earlier.patch
    - 010-verify_path-disallow-symlinks-in-.gitmodules.patch
    - 011-index-pack-make-fsck-error-message-more-specific.patch
    - 019-fsck-complain-when-.gitmodules-is-a-symlink.patch
  * debian/rules: ensure added tests are executable.

 -- Steve Beattie <sbeattie at ubuntu.com>  Thu, 31 May 2018 22:52:33 -0700

** Changed in: git (Ubuntu)
       Status: Fix Committed => Fix Released

** Changed in: git (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/1774061

Title:
  git:  CVE-2018-11235 arbitary code execution via submodule names in
  .gitmodules

Status in git package in Ubuntu:
  Fix Released

Bug description:
  Git v2.17.1, v2.13.7, v2.14.4, v2.15.2 and v2.16.4 contain a fix for CVE 2018-11235 announced here:
  https://public-inbox.org/git/xmqqy3g2flb6.fsf@gitster-ct.c.googlers.com/

  Debian has fixed packages here: https://security-
  tracker.debian.org/tracker/CVE-2018-11235

  I could not find the fixed packages for Ubuntu, the Ubuntu link on the
  above debian tracker results in a 404, and there is no newer package
  available in the repository for 18.04 LTS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions

More information about the foundations-bugs mailing list