SECURITY: safe.directory backport doesn't check key name

Bug #1970260 reported by Ray Link
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
git (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The recent backport of the security fix for CVE-2022-24765 does not contain enough of the upstream fix for the issue. Specifically, it does not contain a subsequent commit that corrects the omission of checking the key name when searching the config file for safe directories.

In the implementation backported to Ubuntu, the config file parser does not check the name of the key when scanning key/value pairs for directories that should be considered as safe. As such, any key whose value looks like a directory name will cause that directory to be treated as safe. (i.e. "foo.bar = /path/to/something" is functionally equivalent to "safe.directory = /path/to/something")

Upstream commit bb50ec3cc300eeff3aba7a2bea145aabdb477d31 which fixes the issue is attached as a patch.

CVE References

Revision history for this message
Ray Link (rlink) wrote :
Revision history for this message
Ray Link (rlink) wrote :

Another subsequent commit missing from the Ubuntu backport of the fix is one that adds the option to opt-out of safe directory checking by setting the value of "safe.directory" to "*".

The fix as included in Ubuntu introduces a host of regressions for users/sites with large numbers of intentionally shared repositories, repositories in network filesystems where the numeric owner id on a file/directory is not indicative of who actually has access to the repository, or sites where repositories are accessed from within a container where numeric uids differ between the host and the container.

Upstream commit 0f85c4a30b072a26d74af8bbf63cc8f6a5dfc1b8 which introduces the opt-out mechanism to revert the regression is attached.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.34.1-1ubuntu1.2

---------------
git (1:2.34.1-1ubuntu1.2) jammy; urgency=medium

  * SECURITY REGRESSION: Previous update was incomplete causing regressions
    and not correctly fixing the issue.
    - debian/patches/CVE-2022-24765-5.patch: fix safe.directory
      key not being checked in setup.c.
    - debian/patches/CVE-2022-24765-6.patch:
      opt-out of check with safe.directory=* in setup.c. (LP: #1970260)

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 25 Apr 2022 20:14:03 -0300

Changed in git (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.32.0-1ubuntu1.2

---------------
git (1:2.32.0-1ubuntu1.2) impish-security; urgency=medium

  * SECURITY REGRESSION: Previous update was incomplete causing regressions
    and not correctly fixing the issue.
    - debian/patches/CVE-2022-24765-5.patch: fix safe.directory
      key not being checked in setup.c.
    - debian/patches/CVE-2022-24765-6.patch:
      opt-out of check with safe.directory=* in setup.c. (LP: #1970260)

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 25 Apr 2022 20:20:02 -0300

Changed in git (Ubuntu):
status: New → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks, Ray

information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers