[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
Launchpad Bug Tracker
1774061 at bugs.launchpad.net
Tue Jun 5 21:09:06 UTC 2018
This bug was fixed in the package git - 1:1.9.1-1ubuntu0.8
---------------
git (1:1.9.1-1ubuntu0.8) trusty-security; urgency=medium
* SECURITY UPDATE: arbitrary code execution via
submodule names in .gitsubmodules.
- 0005-submodule-config-verify-submodule-names-as-paths.patch
- 0018-fsck-simplify-.git-check.patch
- 0020-fsck-actually-fsck-blob-data.patch
- 0025-fsck-detect-gitmodules-files.patch
- 0026-fsck-check-.gitmodules-content.patch
- 0027-fsck-call-fsck_finish-after-fscking-objects.patch
- 0028-unpack-objects-call-fsck_finish-after-fscking-objects.patch
- 0029-index-pack-check-.gitmodules-files-with-strict.patch
- CVE-2018-11235 (LP: #1774061)
* SECURITY UPDATE: out-of-bounds memory access when sanity-checking
pathnames on NTFS
- 0006-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
- CVE-2018-11233
* Do not allow .gitmodules to be a symlink:
* debian/rules: ensure added tests are executable.
- 0001-apply-reject-input-that-touches-outside-the-working-a.patch
- 0002-apply-do-not-read-from-the-filesystem-under-index.patch
- 0003-apply-do-not-read-from-beyond-a-symbolic-link.patch
- 0004-apply-do-not-touch-a-file-beyond-a-symbolic-link.patch
- 0007-is_hfs_dotgit-match-other-.git-files.patch
- 0008-is_ntfs_dotgit-match-other-.git-files.patch
- 0009-skip_prefix-add-case-insensitive-variant.patch
- 0010-verify_path-drop-clever-fallthrough.patch
- 0011-verify_dotfile-mention-case-insensitivity-in-comment.patch
- 0012-update-index-stat-updated-files-earlier.patch
- 0013-verify_path-disallow-symlinks-in-.gitmodules.patch
- 0014-sha1_file-add-read_loose_object-function.patch
- 0015-fsck-drop-inode-sorting-code.patch
- 0016-fsck-parse-loose-object-paths-directly.patch
- 0017-index-pack-make-fsck-error-message-more-specific.patch
- 0019-fsck_object-allow-passing-object-data-separately-from.patch
- 0021-add-a-hashtable-implementation-that-supports-O-1-rem.patch
- 0022-hashmap.h-use-unsigned-int-for-hash-codes-everywhere.patch
- 0023-hashmap-factor-out-getting-a-hash-code-from-a-SHA1.patch
- 0024-hashmap-add-simplified-hashmap_get_from_hash-API.patch
- 0030-fsck-complain-when-.gitmodules-is-a-symlink.patch
* move patches from debian/diff to quilt debian/patch/, to avoid
conflicts and overlooking already added patches
* Thanks to Jonathan Nieder <jrnieder at gmail.com> of Debian for
backporting to 2.1.x.
-- Steve Beattie <sbeattie at ubuntu.com> Mon, 04 Jun 2018 10:56:07 -0700
** Changed in: git (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/1774061
Title:
git: CVE-2018-11235 arbitary code execution via submodule names in
.gitmodules
Status in git package in Ubuntu:
Fix Released
Bug description:
Git v2.17.1, v2.13.7, v2.14.4, v2.15.2 and v2.16.4 contain a fix for CVE 2018-11235 announced here:
https://public-inbox.org/git/xmqqy3g2flb6.fsf@gitster-ct.c.googlers.com/
Debian has fixed packages here: https://security-
tracker.debian.org/tracker/CVE-2018-11235
I could not find the fixed packages for Ubuntu, the Ubuntu link on the
above debian tracker results in a 404, and there is no newer package
available in the repository for 18.04 LTS.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions
More information about the foundations-bugs
mailing list