Updated git packages fix security vulnerabilities
Publication date: 15 Dec 2019Modification date: 15 Dec 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-1348 , CVE-2019-1349 , CVE-2019-1387 , CVE-2019-19604
Description
The updated packages fix security vulnerabilities:
The --export-marks option of git fast-import is exposed also via the
in-stream command feature export-marks=... and it allows overwriting
arbitrary paths. (CVE-2019-1348)
When submodules are cloned recursively, under certain circumstances Git
could be fooled into using the same Git directory twice. We now require
the directory to be empty. (CVE-2019-1349)
Recursive clones are currently affected by a vulnerability that is caused
by too-lax validation of submodule names, allowing very targeted attacks
via remote code execution in recursive clones. (CVE-2019-1387)
Arbitrary command execution is possible in Git before before 2.21.1,
because a "git submodule update" operation can run commands found in the
.gitmodules file of a malicious repository. (CVE-2019-19604)
References
- https://bugs.mageia.org/show_bug.cgi?id=25867
- https://www.openwall.com/lists/oss-security/2019/12/13/1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19604
SRPMS
7/core
- git-2.21.1-1.mga7