Lucene search

K
slackwareSlackware Linux ProjectSSA-2022-291-01
HistoryOct 18, 2022 - 8:40 p.m.

[slackware-security] git

2022-10-1820:40:51
Slackware Linux Project
www.slackware.com
14

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.009 Low

EPSS

Percentile

82.2%

New git packages are available for Slackware 14.0, 14.1, 14.2, 15.0,
and -current to fix security issues.

Here are the details from the Slackware 15.0 ChangeLog:

patches/packages/git-2.35.5-i586-1_slack15.0.txz: Upgraded.
This release fixes two security issues:

  • CVE-2022-39253:
    When relying on the --local clone optimization, Git dereferences
    symbolic links in the source repository before creating hardlinks
    (or copies) of the dereferenced link in the destination repository.
    This can lead to surprising behavior where arbitrary files are
    present in a repository’s $GIT_DIR when cloning from a malicious
    repository.
    Git will no longer dereference symbolic links via the --local
    clone mechanism, and will instead refuse to clone repositories that
    have symbolic links present in the $GIT_DIR/objects directory.
    Additionally, the value of protocol.file.allow is changed to be
    “user” by default.
  • CVE-2022-39260:
    An overly-long command string given to git shell can result in
    overflow in split_cmdline(), leading to arbitrary heap writes and
    remote code execution when git shell is exposed and the directory
    $HOME/git-shell-commands exists.
    git shell is taught to refuse interactive commands that are
    longer than 4MiB in size. split_cmdline() is hardened to reject
    inputs larger than 2GiB.
    For more information, see:
    https://vulners.com/cve/CVE-2022-39253
    https://vulners.com/cve/CVE-2022-39260
    (* Security fix *)

Where to find the new packages:

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)

Also see the “Get Slack” section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/git-2.30.6-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/git-2.30.6-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/git-2.30.6-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/git-2.30.6-x86_64-1_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/git-2.30.6-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/git-2.30.6-x86_64-1_slack14.2.txz

Updated package for Slackware 15.0:
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/git-2.35.5-i586-1_slack15.0.txz

Updated package for Slackware x86_64 15.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/git-2.35.5-x86_64-1_slack15.0.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/git-2.38.1-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/d/git-2.38.1-x86_64-1.txz

MD5 signatures:

Slackware 14.0 package:
48ee1ee2b38d78db02f8a071685b9450 git-2.30.6-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
e28b635209f0609c6ef18e114a88fc16 git-2.30.6-x86_64-1_slack14.0.txz

Slackware 14.1 package:
1ad7ec8d222bbb240485dd62db3adf40 git-2.30.6-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
334f2f6a9eda3bb9a242d91fc40b97d4 git-2.30.6-x86_64-1_slack14.1.txz

Slackware 14.2 package:
346f1b5332fc9fa6c256578c6d2296f3 git-2.30.6-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
385741384f10e345bf736489096c7f63 git-2.30.6-x86_64-1_slack14.2.txz

Slackware 15.0 package:
c36b2529a04298271a42b54a2e22cd7c git-2.35.5-i586-1_slack15.0.txz

Slackware x86_64 15.0 package:
cf2c3403da6faf885008e4fa7f9ff5c4 git-2.35.5-x86_64-1_slack15.0.txz

Slackware -current package:
44fd8361f0920419437471089a87e984 d/git-2.38.1-i586-1.txz

Slackware x86_64 -current package:
09bd553a683015bdcd1549ff4465d704 d/git-2.38.1-x86_64-1.txz

Installation instructions:

Upgrade the package as root:
> upgradepkg git-2.35.5-i586-1_slack15.0.txz

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.009 Low

EPSS

Percentile

82.2%