Your message dated Sun, 15 Sep 2024 19:02:33 +0000
with message-id <[email protected]>
and subject line Bug#1071160: fixed in git 1:2.39.5-0+deb12u1
has caused the Debian Bug report #1071160,
regarding git: CVE-2024-32002 CVE-2024-32004 CVE-2024-32020 CVE-2024-32021
CVE-2024-32465
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1071160: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: git
Version: 1:2.43.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for git.
CVE-2024-32002[0]:
| Git is a revision control system. Prior to versions 2.45.1, 2.44.1,
| 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with
| submodules can be crafted in a way that exploits a bug in Git
| whereby it can be fooled into writing files not into the submodule's
| worktree but into a `.git/` directory. This allows writing a hook
| that will be executed while the clone operation is still running,
| giving the user no opportunity to inspect the code that is being
| executed. The problem has been patched in versions 2.45.1, 2.44.1,
| 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support
| is disabled in Git (e.g. via `git config --global core.symlinks
| false`), the described attack won't work. As always, it is best to
| avoid cloning repositories from untrusted sources.
CVE-2024-32004[1]:
| Git is a revision control system. Prior to versions 2.45.1, 2.44.1,
| 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare
| a local repository in such a way that, when cloned, will execute
| arbitrary code during the operation. The problem has been patched in
| versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.
| As a workaround, avoid cloning repositories from untrusted sources.
CVE-2024-32020[2]:
| Git is a revision control system. Prior to versions 2.45.1, 2.44.1,
| 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up
| hardlinking files into the target repository's object database when
| source and target repository reside on the same disk. If the source
| repository is owned by a different user, then those hardlinked files
| may be rewritten at any point in time by the untrusted user. Cloning
| local repositories will cause Git to either copy or hardlink files
| of the source repository into the target repository. This
| significantly speeds up such local clones compared to doing a
| "proper" clone and saves both disk space and compute time. When
| cloning a repository located on the same disk that is owned by a
| different user than the current user we also end up creating such
| hardlinks. These files will continue to be owned and controlled by
| the potentially-untrusted user and can be rewritten by them at will
| in the future. The problem has been patched in versions 2.45.1,
| 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.
CVE-2024-32021[3]:
| Git is a revision control system. Prior to versions 2.45.1, 2.44.1,
| 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local
| source repository that contains symlinks via the filesystem, Git may
| create hardlinks to arbitrary user-readable files on the same
| filesystem as the target repository in the `objects/` directory.
| Cloning a local repository over the filesystem may creating
| hardlinks to arbitrary user-owned files on the same filesystem in
| the target Git repository's `objects/` directory. When cloning a
| repository over the filesystem (without explicitly specifying the
| `file://` protocol or `--no-local`), the optimizations for local
| cloning will be used, which include attempting to hard link the
| object files instead of copying them. While the code includes checks
| against symbolic links in the source repository, which were added
| during the fix for CVE-2022-39253, these checks can still be raced
| because the hard link operation ultimately follows symlinks. If the
| object on the filesystem appears as a file during the check, and
| then a symlink during the operation, this will allow the adversary
| to bypass the check and create hardlinks in the destination objects
| directory to arbitrary, user-readable files. The problem has been
| patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2,
| and 2.39.4.
CVE-2024-32465[4]:
| Git is a revision control system. The Git project recommends to
| avoid working in untrusted repositories, and instead to clone it
| first with `git clone --no-local` to obtain a clean copy. Git has
| specific protections to make that a safe operation even with an
| untrusted source repository, but vulnerabilities allow those
| protections to be bypassed. In the context of cloning local
| repositories owned by other users, this vulnerability has been
| covered in CVE-2024-32004. But there are circumstances where the
| fixes for CVE-2024-32004 are not enough: For example, when obtaining
| a `.zip` file containing a full copy of a Git repository, it should
| not be trusted by default to be safe, as e.g. hooks could be
| configured to run within the context of that repository. The problem
| has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1,
| 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories
| that have been obtained via archives from untrusted sources.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-32002
https://www.cve.org/CVERecord?id=CVE-2024-32002
[1] https://security-tracker.debian.org/tracker/CVE-2024-32004
https://www.cve.org/CVERecord?id=CVE-2024-32004
[2] https://security-tracker.debian.org/tracker/CVE-2024-32020
https://www.cve.org/CVERecord?id=CVE-2024-32020
[3] https://security-tracker.debian.org/tracker/CVE-2024-32021
https://www.cve.org/CVERecord?id=CVE-2024-32021
[4] https://security-tracker.debian.org/tracker/CVE-2024-32465
https://www.cve.org/CVERecord?id=CVE-2024-32465
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: git
Source-Version: 1:2.39.5-0+deb12u1
Done: Jonathan Nieder <[email protected]>
We believe that the bug you reported is fixed in the latest version of
git, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Nieder <[email protected]> (supplier of updated git package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 16 Jun 2024 17:37:10 +0000
Source: git
Architecture: source
Version: 1:2.39.5-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Jonathan Nieder <[email protected]>
Changed-By: Jonathan Nieder <[email protected]>
Closes: 1071160
Changes:
git (1:2.39.5-0+deb12u1) bookworm-security; urgency=medium
.
* new upstream point release (see RelNotes/2.39.3.txt,
RelNotes/2.39.4.txt, RelNotes/2.39.5.txt). Addresses
CVE-2023-25652, CVE-2023-25815, CVE-2023-29007, CVE-2024-32002,
CVE-2024-32004, CVE-2024-32020, CVE-2023-32021 (closes:
#1071160).
Checksums-Sha1:
09868d049959333d776b613173cc452f0e7f17c8 2857 git_2.39.5-0+deb12u1.dsc
e78eca649e2b7841bf22cfc1b3b9b9f1a2a3d825 7171400 git_2.39.5.orig.tar.xz
5eade643066b697a4d516bd2cc24828d86bf7e69 742400
git_2.39.5-0+deb12u1.debian.tar.xz
04755ea30d73deaf1f7e86d215033cad8375c309 12371
git_2.39.5-0+deb12u1_amd64.buildinfo
Checksums-Sha256:
eccfcf6b7dba258ec5e50c503e33f4f21e76b2a2540af36d69cab37e4ce04494 2857
git_2.39.5-0+deb12u1.dsc
c58da92c378df4a986ca33266897a7397e86c22ee266a284d8c2432c39066b59 7171400
git_2.39.5.orig.tar.xz
5cd79b5a89b930936aa1cb5ab2ec53525a978c28ffd4017b47310ddc7660938a 742400
git_2.39.5-0+deb12u1.debian.tar.xz
cd0e53d93965f6fb2be781572e39a5cbfa2e9347df88b9598a7642e0182840a9 12371
git_2.39.5-0+deb12u1_amd64.buildinfo
Files:
65313a645eda1b74c15e4e6064c4c4ab 2857 vcs optional git_2.39.5-0+deb12u1.dsc
a2bdc21bd3772270b5c4f025cb87126d 7171400 vcs optional git_2.39.5.orig.tar.xz
ff94b82768b6aaed375ba887c24b0b05 742400 vcs optional
git_2.39.5-0+deb12u1.debian.tar.xz
6cb81e3145453490aecb0b1cd34c6048 12371 vcs optional
git_2.39.5-0+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAmZvMZwTHGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JaLMD/0WE0ZT3U8ajXVizn72qcjagL2yioOf
e84fGwXmq8vY3w5WpuB2BfZwKMUMakXjbwxzV2iHpMJLImo021vkHPQHYGYh3ims
u6XDg7RhHrpyTa2xtbD8npyJNOSaN8jnIbnQBioI2BeBU5/HVyJtcJ3YlmOdvcN/
RwbkTMmYlLetq6yAZ0Ohrv4R4JqEuxXMUgOKSsNEnVkeuXcFQj2EkCAol9vCkD3G
ldpvdo0qqHLOmaM6XWz/aMGvaTW/ztulBnyaLYOLvuNeKnm0Y72UffmkZ8VDClxm
H7tZHhyc4KrnMgmPlR4jJztmEVpaYHBK4oaP9R/r3xZU99VLe6M1aAoMKnTOrUAN
DSt97ShWE6Xo5IDsr+kwsHsUu5t8/MsG4QCwj1F3+BdXUJKTxId16brQFVpzCTMv
KychqYjUiWxjllQzLFfg34w1tjIHjg6Khf9RsrAjlS784u84uQkaaoLco/xluwYb
jEAmKxU0cavyfqB4ZZNByp2qKtvnx2ztWt1uCR1yJqPEWer5idChXqRRhwGv/BtI
qvNWMsQoGwH1Ky1dlvdBGFHergZQhUwLF7ROUSb53VK0m5Lx+ORVJMH7UxWirNqA
3aJSvjQFF8EE+5fhnka1cuPhMtq/rTGZXfQKO7IYpVpduZbwZluJhBTkTtYAj8gR
1kpfRxnI5d4MqA==
=A3xr
-----END PGP SIGNATURE-----
pgpQlCjjkLoOC.pgp
Description: PGP signature
--- End Message ---
