Opened 7 months ago

Closed 7 months ago

Last modified 8 weeks ago

#14746 closed enhancement (fixed)

git-2.30.2

Reported by: ken@… Owned by: Douglas R. Reno
Priority: normal Milestone: 11.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

Released today, with an announcement at github https://github.blog/2021-03-09-git-clone-vulnerability-announced/ that it fixes CVE-2021-21300 - see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300

Normal priority, because on linux this not only requires clean/smudge filters to be used, it requires use of a case-insensitive filesystem which supports symbolic links. That applies to macOS and windows, but for linux you would need to either configure ext4 or f2fs to be case-insensitive, or else clone onto an NTFS, HFS+ or APFS filesystem.

Change History (5)

comment:1 by Douglas R. Reno, 7 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 7 months ago

Git v2.30.2 Release Notes
=========================

This release merges up the fixes that appear in v2.17.6, v2.18.5,
v2.19.6, v2.20.5, v2.21.4, v2.22.5, v2.23.4, v2.24.4, v2.25.5,
v2.26.3, v2.27.1, v2.28.1 and v2.29.3 to address the security
issue CVE-2021-21300; see the release notes for these versions
for details.
Git v2.17.6 Release Notes
=========================

This release addresses the security issues CVE-2021-21300.

Fixes since v2.17.5
-------------------

 * CVE-2021-21300:
   On case-insensitive file systems with support for symbolic links,
   if Git is configured globally to apply delay-capable clean/smudge
   filters (such as Git LFS), Git could be fooled into running
   remote code during a clone.

Credit for finding and fixing this vulnerability goes to Matheus
Tavares, helped by Johannes Schindelin.

Since we're not affected (as mentioned in the ticket description - thank you Ken), I'll leave it as normal.

comment:3 by Douglas R. Reno, 7 months ago

Something interesting of note:

The build with the tests only took 2.5 SBU for me. I think this is due to building on an SSD.

Test results are identical to previous versions:

fixed   0
success 22806
failed  0
broken  241
total   23368

comment:4 by Douglas R. Reno, 7 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r24365

comment:5 by Bruce Dubbs, 8 weeks ago

Milestone: 10.211.0

Milestone renamed

Note: See TracTickets for help on using tickets.