rpms/git
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 2.17.1 (CVE-2018-11233, CVE-2018-11235)

Browse Source 
Fixes two security issues, described in the 2.13.7 release notes¹:

 * Submodule "names" come from the untrusted .gitmodules file, but we
   blindly append them to $GIT_DIR/modules to create our on-disk repo
   paths. This means you can do bad things by putting "../" into the
   name. We now enforce some rules for submodule names which will cause
   Git to ignore these malicious names (CVE-2018-11235).

   Credit for finding this vulnerability and the proof of concept from
   which the test script was adapted goes to Etienne Stalmans.

 * It was possible to trick the code that sanity-checks paths on NTFS
   into reading random piece of memory (CVE-2018-11233).

¹ https://mirrors.edge.kernel.org/pub/software/scm/git/docs/RelNotes/2.13.7.txt
This commit is contained in:
Todd Zullinger 2018-05-29 13:08:24 -04:00
parent 676f6fab11
commit 9a5cabc9ef
2 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
git.spec
View File

@ -82,8 +82,8 @@
#global rcrev .rc0
Name: git
Version: 2.17.0
Release: 4%{?rcrev}%{?dist}
Version: 2.17.1
Release: 1%{?rcrev}%{?dist}
Summary: Fast Version Control System
License: GPLv2
URL: https://git-scm.com/
@ -887,6 +887,9 @@ make test || ./print-failed-test-output
%{?with_docs:%{_pkgdocdir}/git-svn.html}
%changelog
* Tue May 29 2018 Todd Zullinger <tmz@pobox.com> - 2.17.1-1
- Update to 2.17.1 (CVE-2018-11233, CVE-2018-11235)
* Thu May 24 2018 Todd Zullinger <tmz@pobox.com> - 2.17.0-4
- Fix segfault in rev-parse with invalid input (#1581678)
- Move TEST_SHELL_PATH setting to config.mak

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (git-2.17.0.tar.xz) = dab1c1d5d384b36720abc049a66ba60631e17958b214cfbec467be7adc02e82190e5282554da71797892c16bfe52d65b6244a281f504385083125bcb98ec7ee9
SHA512 (git-2.17.0.tar.sign) = b86cd002910256976c5c94214ebc0d80ea67f94d110e3fb85802c9ae2edf56e1ccc77a46164986ff5ad4d8efea0ffd73fa487ebb2c55d75d8af5d2f326755237
SHA512 (git-2.17.1.tar.xz) = 77c27569d40fbae1842130baa0cdda674a02e384631bd8fb1f2ddf67ce372dd4903b2ce6b4283a4ae506cdedd5daa55baa2afe6a6689528511e24e4beb864960
SHA512 (git-2.17.1.tar.sign) = 90fd436a1df4a154afa36a4aaea8fa447db703ca42197f5f4507c81f96076d5f20006c265506326958f5e0b670b72b11bc37ae4bebbfee0f6ba9d9274cf71017