Gentoo Archives: gentoo-announce

From: Kristian Fiskerstrand <k_f@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201605-01 ] Git: Multiple vulnerabilities
Date: Mon, 02 May 2016 19:31:32
Message-Id: afb5bcd4-2a59-a213-fc98-4c74ae67a90f@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201605-01
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Git: Multiple vulnerabilities
9 Date: May 02, 2016
10 Bugs: #562884, #577482
11 ID: 201605-01
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Git contains multiple vulnerabilities that allow for the remote
19 execution of arbitrary code.
20
21 Background
22 ==========
23
24 Git is a free and open source distributed version control system
25 designed to handle everything from small to very large projects with
26 speed and efficiency.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-vcs/git < 2.7.3-r1 >= 2.7.3-r1
35
36 Description
37 ===========
38
39 Git is vulnerable to the remote execution of arbitrary code by cloning
40 repositories with large filenames or a large number of nested trees.
41 Additionally, some protocols within Git, such as git-remote-ext, can
42 execute arbitrary code found within URLs. These URLs that submodules
43 use may come from arbitrary sources (e.g., .gitmodules files in a
44 remote repository), and can effect those who enable recursive fetch.
45 Restrict the allowed protocols to well known and safe ones.
46
47 Impact
48 ======
49
50 Remote attackers could execute arbitrary code on both client and
51 server.
52
53 Workaround
54 ==========
55
56 There is no known workaround at this time.
57
58 Resolution
59 ==========
60
61 All Git users should upgrade to the latest version:
62
63 # emerge --sync
64 # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.7.3-r1"
65
66 References
67 ==========
68
69 [ 1 ] Buffer overflow in all git versions before 2.7.1
70 http://seclists.org/oss-sec/2016/q1/645
71 [ 2 ] CVE-2015-7545
72 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7545
73 [ 3 ] CVE-2016-2315
74 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315
75 [ 4 ] CVE-2016-2324
76 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324
77
78 Availability
79 ============
80
81 This GLSA and any updates to it are available for viewing at
82 the Gentoo Security Website:
83
84 https://security.gentoo.org/glsa/201605-01
85
86 Concerns?
87 =========
88
89 Security is a primary focus of Gentoo Linux and ensuring the
90 confidentiality and security of our users' machines is of utmost
91 importance to us. Any security concerns should be addressed to
92 security@g.o or alternatively, you may file a bug at
93 https://bugs.gentoo.org.
94
95 License
96 =======
97
98 Copyright 2016 Gentoo Foundation, Inc; referenced text
99 belongs to its owner(s).
100
101 The contents of this document are licensed under the
102 Creative Commons - Attribution / Share Alike license.
103
104 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature