[Bug 1970260] Re: SECURITY: safe.directory backport doesn't check key name
Seth Arnold
1970260 at bugs.launchpad.net
Sat May 7 03:16:12 UTC 2022
Thanks, Ray
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/1970260
Title:
SECURITY: safe.directory backport doesn't check key name
Status in git package in Ubuntu:
Fix Released
Bug description:
The recent backport of the security fix for CVE-2022-24765 does not
contain enough of the upstream fix for the issue. Specifically, it
does not contain a subsequent commit that corrects the omission of
checking the key name when searching the config file for safe
directories.
In the implementation backported to Ubuntu, the config file parser
does not check the name of the key when scanning key/value pairs for
directories that should be considered as safe. As such, any key whose
value looks like a directory name will cause that directory to be
treated as safe. (i.e. "foo.bar = /path/to/something" is functionally
equivalent to "safe.directory = /path/to/something")
Upstream commit bb50ec3cc300eeff3aba7a2bea145aabdb477d31 which fixes
the issue is attached as a patch.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1970260/+subscriptions
More information about the foundations-bugs
mailing list