Advisories ยป MGASA-2019-0393

Updated git packages fix security vulnerabilities

Publication date: 15 Dec 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-1348 , CVE-2019-1349 , CVE-2019-1387 , CVE-2019-19604


The updated packages fix security vulnerabilities:

The --export-marks option of git fast-import is exposed also via the
in-stream command feature export-marks=... and it allows overwriting
arbitrary paths. (CVE-2019-1348)

When submodules are cloned recursively, under certain circumstances Git
could be fooled into using the same Git directory twice. We now require
the directory to be empty. (CVE-2019-1349)

Recursive clones are currently affected by a vulnerability that is caused
by too-lax validation of submodule names, allowing very targeted attacks
via remote code execution in recursive clones. (CVE-2019-1387)

Arbitrary command execution is possible in Git before before 2.21.1,
because a "git submodule update" operation can run commands found in the
.gitmodules file of a malicious repository. (CVE-2019-19604)