[Bug 2008277] Re: git 1:2.17.1-1ubuntu0.16 in Bonic still vulnerable to CVE-2023-22490

[Emilio Pozuelo Monfort]

Made this visible now that it's fixed.

btw I can't check if xenial is affected as I don't have access to ESM,
but that should be double-checked.

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/2008277

Title:
  git 1:2.17.1-1ubuntu0.16 in Bonic still vulnerable to CVE-2023-22490

Status in git package in Ubuntu:
  Fix Released

Bug description:
  Hi,

  While backporting the latest git security fixes to Debian 9 buster, I
  looked at the Bionic update and realised a patch was missing. I
  thought maybe the patch wasn't needed, but I applied the test case in
  the buster source and it failed. Indeed, it's also failing on bionic:

  osboxes at osboxes:~/tmp$ dpkg-query -f '${Version}\n' -W git
  1:2.17.1-1ubuntu0.16
  osboxes at osboxes:~/tmp$ mkdir local-dir
  osboxes at osboxes:~/tmp$ echo secret > local-dir/file
  osboxes at osboxes:~/tmp$ git init repo1
  Initialized empty Git repository in /home/osboxes/tmp/repo1/.git/
  osboxes at osboxes:~/tmp$ rm -r repo1/.git/objects/
  osboxes at osboxes:~/tmp$ ln -s `pwd`/local-dir repo1/.git/objects
  osboxes at osboxes:~/tmp$ git clone repo1 repo2
  Cloning into 'repo2'...
  warning: You appear to have cloned an empty repository.
  done.
  osboxes at osboxes:~/tmp$ cat repo2/.git/objects/file 
  secret

  The git clone repo1 repo2 should have failed, complaining that objects
  is a symlink.

  https://github.com/git/git/commit/bffc762f87ae8d18c6001bf0044a76004245754c
  needs to be backported, for which the easiest (and safest) route is to
  backport a couple of changes in dir-iterator. See the deb10u8.

  Cheers,
  Emilio

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/2008277/+subscriptions