Debian dla-4610 : git-lfs - security update

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-4610. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(318111);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/01");

  script_cve_id("CVE-2025-26625");

  script_name(english:"Debian dla-4610 : git-lfs - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4610
advisory.

    - -------------------------------------------------------------------------
    Debian LTS Advisory DLA-4610-1                [email protected]
    https://www.debian.org/lts/security/                       Andrej Shadura
    May 31, 2026                                  https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : git-lfs
    Version        : 2.13.2-1+deb11u2
    CVE ID         : CVE-2025-26625

    In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's
    working tree with the contents of Git LFS objects, certain Git LFS commands
    could write to files visible outside the current Git working tree if symbolic
    or hard links existed which collided with the paths of files tracked by Git
    LFS.

    The git lfs checkout and git lfs pull commands did not check for symbolic
    links before writing to files in the working tree, which allowed an attacker
    to craft a repository containing symbolic or hard links that caused Git LFS
    to write to arbitrary file system locations accessible to the user running
    these commands.

    Also, when the git lfs checkout and git lfs pull commands were run in a bare
    repository, they could write to files visible outside the repository.
    The complete fix to this issue, specifically the behaviour of git lfs pull,
    requires a newer Git version, 2.42.0 or newer.

    As a workaround, support for symlinks in Git may be disabled by setting the
    core.symlinks configuration option to false, after which further clones and
    fetches will not create symbolic links. However, any symbolic or hard links
    in existing repositories will still provide the opportunity for Git LFS to
    write to their targets.

    For Debian 11 bullseye, this problem has been partially fixed in version
    2.13.2-1+deb11u2. For a complete fix, Git 2.42.0 or newer is also required.

    We recommend that you upgrade your git-lfs packages.

    For the detailed security status of git-lfs please refer to
    its security tracker page at:
    https://security-tracker.debian.org/tracker/git-lfs

    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/git-lfs");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2025-26625");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/git-lfs");
  script_set_attribute(attribute:"solution", value:
"Upgrade the git-lfs packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-26625");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/10/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/05/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/01");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:git-lfs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:golang-github-git-lfs-git-lfs-dev");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '11.0', 'prefix': 'git-lfs', 'reference': '2.13.2-1+deb11u2'},
    {'release': '11.0', 'prefix': 'golang-github-git-lfs-git-lfs-dev', 'reference': '2.13.2-1+deb11u2'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'git-lfs / golang-github-git-lfs-git-lfs-dev');
}