[Bug 2003246] Re: Git 2.25.1 CVE-2022-23521 patches may be missing a small portion of the fixes
Alex Murray
2003246 at bugs.launchpad.net
Thu Jan 19 23:39:53 UTC 2023
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/2003246
Title:
Git 2.25.1 CVE-2022-23521 patches may be missing a small portion of
the fixes
Status in git package in Ubuntu:
Fix Released
Bug description:
patches/CVE_2022_23521_and_41903/0012-attr-ignore-overly-large-
gitattributes-files.patch includes the updates to
read_attr_from_file() but lacks the updates to read_attr_from_index()
which can be seen here:
https://github.com/git/git/commit/3c50032ff5289cc45659f21949c8d09e52164579#diff-f89b08f027f583c8719c7a22dba3ccc888b98aafc084c40df006c4e82a0ca278L730-L742.
Looking at https://github.com/git/git/blob/v2.25.1/attr.c#L731-L759 I
think 2.25.1 should include the patches for read_attr_from_index() as
well. I've also checked the patches dir for the git 2.25.1 package to
make sure some other patch doesn't fix this and as far as I can tell
they don't.
For clarity I've been looking at the patch content found within
http://archive.ubuntu.com/ubuntu/pool/main/g/git/git_2.25.1-1ubuntu3.7.debian.tar.xz.
Finally, I haven't checked the other Ubuntu git packages for similar
problems. It is possible a similar issue exists in other versions of
this package.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/2003246/+subscriptions
More information about the foundations-bugs
mailing list