Ubuntu
git package

git 1:2.17.1-1ubuntu0.16 in Bonic still vulnerable to CVE-2023-22490

Bug #2008277 reported by Emilio Pozuelo Monfort
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
git (Ubuntu)
Fix Released
Undecided
Leonidas S. Barbosa

Bug Description

Hi,

While backporting the latest git security fixes to Debian 9 buster, I looked at the Bionic update and realised a patch was missing. I thought maybe the patch wasn't needed, but I applied the test case in the buster source and it failed. Indeed, it's also failing on bionic:

osboxes@osboxes:~/tmp$ dpkg-query -f '${Version}\n' -W git
1:2.17.1-1ubuntu0.16
osboxes@osboxes:~/tmp$ mkdir local-dir
osboxes@osboxes:~/tmp$ echo secret > local-dir/file
osboxes@osboxes:~/tmp$ git init repo1
Initialized empty Git repository in /home/osboxes/tmp/repo1/.git/
osboxes@osboxes:~/tmp$ rm -r repo1/.git/objects/
osboxes@osboxes:~/tmp$ ln -s `pwd`/local-dir repo1/.git/objects
osboxes@osboxes:~/tmp$ git clone repo1 repo2
Cloning into 'repo2'...
warning: You appear to have cloned an empty repository.
done.
osboxes@osboxes:~/tmp$ cat repo2/.git/objects/file
secret

The git clone repo1 repo2 should have failed, complaining that objects is a symlink.

https://github.com/git/git/commit/bffc762f87ae8d18c6001bf0044a76004245754c needs to be backported, for which the easiest (and safest) route is to backport a couple of changes in dir-iterator. See the deb10u8.

Cheers,
Emilio

CVE References

Leonidas S. Barbosa (leosilvab)
Changed in git (Ubuntu):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Emilio!

Leonidas S. Barbosa (leosilvab)
Changed in git (Ubuntu):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.17.1-1ubuntu0.17

---------------
git (1:2.17.1-1ubuntu0.17) bionic-security; urgency=medium

  * SECURITY REGRESSION: Adding missing parts of CVE-2023-22490
    local repository clone when .git/objects is a symlink
    - debian/patches/CVE_2023_22490_and_23946/0001-dir-iterator-refactor*.patch
    - debian/patches/CVE_2023_22490_and_23946/0005-dir-iterator-add-flags*.patch
      (LP: #2008277).

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 27 Feb 2023 11:27:06 -0300

Changed in git (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Emilio Pozuelo Monfort (pochu) wrote :

Made this visible now that it's fixed.

btw I can't check if xenial is affected as I don't have access to ESM, but that should be double-checked.

information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.