Ubuntu
git package

Git 2.25.1 CVE-2022-23521 patches may be missing a small portion of the fixes

Bug #2003246 reported by Clark Boylan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
git (Ubuntu)
Fix Released
High
Leonidas S. Barbosa

Bug Description

patches/CVE_2022_23521_and_41903/0012-attr-ignore-overly-large-gitattributes-files.patch includes the updates to read_attr_from_file() but lacks the updates to read_attr_from_index() which can be seen here: https://github.com/git/git/commit/3c50032ff5289cc45659f21949c8d09e52164579#diff-f89b08f027f583c8719c7a22dba3ccc888b98aafc084c40df006c4e82a0ca278L730-L742.

Looking at https://github.com/git/git/blob/v2.25.1/attr.c#L731-L759 I think 2.25.1 should include the patches for read_attr_from_index() as well. I've also checked the patches dir for the git 2.25.1 package to make sure some other patch doesn't fix this and as far as I can tell they don't.

For clarity I've been looking at the patch content found within http://archive.ubuntu.com/ubuntu/pool/main/g/git/git_2.25.1-1ubuntu3.7.debian.tar.xz.

Finally, I haven't checked the other Ubuntu git packages for similar problems. It is possible a similar issue exists in other versions of this package.

Leonidas S. Barbosa (leosilvab)
Changed in git (Ubuntu):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
importance: Undecided → High
status: New → In Progress
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Hi Clark,

Thanks for report this. I'm issuing an update with the missing parts ASAP. Sorry for the inconvenient.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.25.1-1ubuntu3.8

---------------
git (1:2.25.1-1ubuntu3.8) focal-security; urgency=medium

  * SECURITY REGRESSION: Previous update was incomplete what could causes regressions
    - debian/patches/CVE_2022_23521_and_41903/0012-*.patch: update patch with
      missed parts (LP: #2003246).

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 19 Jan 2023 08:22:47 -0300

Changed in git (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.17.1-1ubuntu0.15

---------------
git (1:2.17.1-1ubuntu0.15) bionic-security; urgency=medium

  * SECURITY REGRESSION: Previous update was incomplete what could causes regressions
    - debian/patches/CVE_2022_23521_and_41903/0012-*.patch: update patch with
      missed parts (LP: #2003246).

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 19 Jan 2023 08:37:09 -0300

Changed in git (Ubuntu):
status: In Progress → Fix Released
Alex Murray (alexmurray)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.