rpms/git
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 2.19.1 (CVE-2018-17456)

Browse Source 
From the upstream release announcement:

  These releases fix a security flaw (CVE-2018-17456), which allowed an
  attacker to execute arbitrary code by crafting a malicious .gitmodules
  file in a project cloned with --recurse-submodules.

  When running "git clone --recurse-submodules", Git parses the supplied
  .gitmodules file for a URL field and blindly passes it as an argument
  to a "git clone" subprocess.  If the URL field is set to a string that
  begins with a dash, this "git clone" subprocess interprets the URL as
  an option.  This can lead to executing an arbitrary script shipped in
  the superproject as the user who ran "git clone".

  In addition to fixing the security issue for the user running "clone",
  the 2.17.2, 2.18.1 and 2.19.1 releases have an "fsck" check which can
  be used to detect such malicious repository content when fetching or
  accepting a push. See "transfer.fsckObjects" in git-config(1).

  Credit for finding and fixing this vulnerability goes to joernchen
  and Jeff King, respectively.

References:
https://public-inbox.org/git/xmqqy3bcuy3l.fsf@gitster-ct.c.googlers.com/
This commit is contained in:
Todd Zullinger 2018-10-05 15:18:02 -04:00
parent 1cb6673d8f
commit 32a31b7090
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
git.spec
View File

@ -85,7 +85,7 @@
#global rcrev .rc0
Name: git
Version: 2.19.0
Version: 2.19.1
Release: 1%{?rcrev}%{?dist}
Summary: Fast Version Control System
License: GPLv2
@ -914,6 +914,9 @@ make -C contrib/credential/netrc/ testverbose
%{?with_docs:%{_pkgdocdir}/git-svn.html}
%changelog
* Fri Oct 05 2018 Todd Zullinger <tmz@pobox.com> - 2.19.1-1
- Update to 2.19.1 (CVE-2018-17456)
* Mon Sep 10 2018 Todd Zullinger <tmz@pobox.com> - 2.19.0-1
- Update to 2.19.0

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (git-2.19.0.tar.xz) = 305e51f8e22d96847fcdf4169340795aacaf5f4c5b8052cda860a668059d9ef35bb2840c278b7207f3b9f0e1c32915719649edc20bd3cd33b53e97a06159ceac
SHA512 (git-2.19.0.tar.sign) = eaf3f8cf20e0621ccd31e8bd086a33d3e79845836176feebd95e59ea15d9db432ddc201f65e35480d83fc4c753a0ca64bffcad2f5609dcda2517845b4d32aa57
SHA512 (git-2.19.1.tar.xz) = a1bc1032b1de9eb9ea8b7c385cd009f64247e13066e0a91e9682e35400ded05f88c23b523cca4782f57544060d6ba0f9d3bec944399cda5771a4945c38bb9b98
SHA512 (git-2.19.1.tar.sign) = ec8a88b27411ca08eaa682536219dd2ffbe2bbeaf88ebcea5c3ec5caa7351de5815139e63d295c1108717d50e76ecbfe3d36b1199ef148a06ebe58f37510e6e9