Your message dated Mon, 20 May 2024 04:34:46 +0000
with message-id <e1s8ujw-002ajl...@fasolo.debian.org>
and subject line Bug#1071160: fixed in git 1:2.45.1-1
has caused the Debian Bug report #1071160,
regarding git: CVE-2024-32002 CVE-2024-32004 CVE-2024-32020 CVE-2024-32021
CVE-2024-32465
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1071160: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: git
Version: 1:2.43.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for git.
CVE-2024-32002[0]:
| Git is a revision control system. Prior to versions 2.45.1, 2.44.1,
| 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with
| submodules can be crafted in a way that exploits a bug in Git
| whereby it can be fooled into writing files not into the submodule's
| worktree but into a `.git/` directory. This allows writing a hook
| that will be executed while the clone operation is still running,
| giving the user no opportunity to inspect the code that is being
| executed. The problem has been patched in versions 2.45.1, 2.44.1,
| 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support
| is disabled in Git (e.g. via `git config --global core.symlinks
| false`), the described attack won't work. As always, it is best to
| avoid cloning repositories from untrusted sources.
CVE-2024-32004[1]:
| Git is a revision control system. Prior to versions 2.45.1, 2.44.1,
| 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare
| a local repository in such a way that, when cloned, will execute
| arbitrary code during the operation. The problem has been patched in
| versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.
| As a workaround, avoid cloning repositories from untrusted sources.
CVE-2024-32020[2]:
| Git is a revision control system. Prior to versions 2.45.1, 2.44.1,
| 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up
| hardlinking files into the target repository's object database when
| source and target repository reside on the same disk. If the source
| repository is owned by a different user, then those hardlinked files
| may be rewritten at any point in time by the untrusted user. Cloning
| local repositories will cause Git to either copy or hardlink files
| of the source repository into the target repository. This
| significantly speeds up such local clones compared to doing a
| "proper" clone and saves both disk space and compute time. When
| cloning a repository located on the same disk that is owned by a
| different user than the current user we also end up creating such
| hardlinks. These files will continue to be owned and controlled by
| the potentially-untrusted user and can be rewritten by them at will
| in the future. The problem has been patched in versions 2.45.1,
| 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.
CVE-2024-32021[3]:
| Git is a revision control system. Prior to versions 2.45.1, 2.44.1,
| 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local
| source repository that contains symlinks via the filesystem, Git may
| create hardlinks to arbitrary user-readable files on the same
| filesystem as the target repository in the `objects/` directory.
| Cloning a local repository over the filesystem may creating
| hardlinks to arbitrary user-owned files on the same filesystem in
| the target Git repository's `objects/` directory. When cloning a
| repository over the filesystem (without explicitly specifying the
| `file://` protocol or `--no-local`), the optimizations for local
| cloning will be used, which include attempting to hard link the
| object files instead of copying them. While the code includes checks
| against symbolic links in the source repository, which were added
| during the fix for CVE-2022-39253, these checks can still be raced
| because the hard link operation ultimately follows symlinks. If the
| object on the filesystem appears as a file during the check, and
| then a symlink during the operation, this will allow the adversary
| to bypass the check and create hardlinks in the destination objects
| directory to arbitrary, user-readable files. The problem has been
| patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2,
| and 2.39.4.
CVE-2024-32465[4]:
| Git is a revision control system. The Git project recommends to
| avoid working in untrusted repositories, and instead to clone it
| first with `git clone --no-local` to obtain a clean copy. Git has
| specific protections to make that a safe operation even with an
| untrusted source repository, but vulnerabilities allow those
| protections to be bypassed. In the context of cloning local
| repositories owned by other users, this vulnerability has been
| covered in CVE-2024-32004. But there are circumstances where the
| fixes for CVE-2024-32004 are not enough: For example, when obtaining
| a `.zip` file containing a full copy of a Git repository, it should
| not be trusted by default to be safe, as e.g. hooks could be
| configured to run within the context of that repository. The problem
| has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1,
| 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories
| that have been obtained via archives from untrusted sources.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-32002
https://www.cve.org/CVERecord?id=CVE-2024-32002
[1] https://security-tracker.debian.org/tracker/CVE-2024-32004
https://www.cve.org/CVERecord?id=CVE-2024-32004
[2] https://security-tracker.debian.org/tracker/CVE-2024-32020
https://www.cve.org/CVERecord?id=CVE-2024-32020
[3] https://security-tracker.debian.org/tracker/CVE-2024-32021
https://www.cve.org/CVERecord?id=CVE-2024-32021
[4] https://security-tracker.debian.org/tracker/CVE-2024-32465
https://www.cve.org/CVERecord?id=CVE-2024-32465
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: git
Source-Version: 1:2.45.1-1
Done: Jonathan Nieder <jrnie...@gmail.com>
We believe that the bug you reported is fixed in the latest version of
git, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1071...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Nieder <jrnie...@gmail.com> (supplier of updated git package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 20 May 2024 03:36:58 +0000
Source: git
Architecture: source
Version: 1:2.45.1-1
Distribution: unstable
Urgency: medium
Maintainer: Jonathan Nieder <jrnie...@gmail.com>
Changed-By: Jonathan Nieder <jrnie...@gmail.com>
Closes: 1071160
Changes:
git (1:2.45.1-1) unstable; urgency=medium
.
* new upstream release (see RelNotes/2.44.0.txt, RelNotes/2.45.0.txt).
* new upstream point release (see RelNotes/2.45.1.txt; addresses
CVE-2024-32002, CVE-2024-32004, CVE-2024-32020, CVE-2024-32021 and
CVE-2024-32465; closes: #1071160).
* debian/patches/0001..0007: new from upstream: followups intended
for v2.45.2 to avoid regressions from the fixes included in
v2.45.1 (thx Johannes Schindelin).
Checksums-Sha1:
6b4e02de539524342104192dd82bed99677aac88 2825 git_2.45.1-1.dsc
57f24bccdfc972c64623caa6d3e818f2513d041e 7490268 git_2.45.1.orig.tar.xz
b162705434f3e69497e801770bf4a8ae26c6c5f2 785516 git_2.45.1-1.debian.tar.xz
100f7ca282d80d133e5da35125da8e3c92352b2c 12218 git_2.45.1-1_amd64.buildinfo
Checksums-Sha256:
4572c3b89102de5e20672cd48ed1befc9034f050473e60d5f2c46c34417cac76 2825
git_2.45.1-1.dsc
e64d340a8e627ae22cfb8bcc651cca0b497cf1e9fdf523735544ff4a732f12bf 7490268
git_2.45.1.orig.tar.xz
bf973431523d2cbc9809aa90d654545fb1b15230106a45d12f145397c45cf442 785516
git_2.45.1-1.debian.tar.xz
45a15cedad3f7f45992511038f2a4d9c6579dfcc56eba9e512a6d43ff8b42198 12218
git_2.45.1-1_amd64.buildinfo
Files:
14128c67941cc7d2c771c0910db31629 2825 vcs optional git_2.45.1-1.dsc
c9dc5a81588d20bac67a07aa8bd07902 7490268 vcs optional git_2.45.1.orig.tar.xz
f93a8ecd61f3bc12bb8bc6d70c4e05dc 785516 vcs optional git_2.45.1-1.debian.tar.xz
f5eba747f5ece8df0bccb8a565194c97 12218 vcs optional
git_2.45.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAmZKzPcTHGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JeDGEACrXWs69J9paMfEea73vxLkdVm7lq8N
eLnWMPZ7snfD6ImCzUQCsJ/T0kYcOQHT1untUDVvcBbQN3/pVVTzZgsOxwBzfxod
DB1ImPQmFZIZ650ySehwqmg98addxAPhDWE7zsXF2tggW5pm605w4rj1QT+v6MrT
KWqSzgaIWVpa1iIfER5SZG5+Z2bvYPeEiTDIuvgJI4TbRoTKZZo8YUz1oyMQAZlK
xd/nxgxgUmbyLat8l8QbA+m628GPu82UjJAQA+qd3spgb6/amPLDP0prP32Fcs8q
DksMwKmCokstbenHv2Q2iSdratiwioTNpM95RiwDMeQotZobrLPqZbPzBndoaphp
7NV/u8zVveN1N0iAk4ILfhdMTfkukC7Rkq3V9bjhbUHI99lSbjkZqvngh+za+eNb
Pn0jYwv00Ixc0rBen73tI1gVjSIWj16xQHYTt/ipKKJ4f30kowsRhFGPDt+pO5I3
xhpyutfsnQFXl1m8Zo42NIh19rSVl3VCdyxwOlP3/FvMTB4XZgh1LXI6DIxcPjSI
wjazLuKhfdLK1pOdUbPEgdFHJM0kaxaG2FSTfhhSv7WuUFI8OHZzLhjpo+QhBwp4
Z3iuclGN5HoGxRbZMcPcDSh7WQjSSd14QzYXJh5pmF61XUFQOoR9huv5XXmNR6VT
w0Hep5qDK3bO+Q==
=2+9O
-----END PGP SIGNATURE-----
pgp7muB44i_f1.pgp
Description: PGP signature
--- End Message ---
