MGASA-2018-0267

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2018-0267.html

Import Source

https://advisories.mageia.org/MGASA-2018-0267.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2018-0267

Related

CVE-2018-11233
CVE-2018-11235

Published

2018-06-03T11:02:21Z

Modified

2018-06-03T10:45:33Z

Summary

Updated git packages fix security vulnerabilities

Details

It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory (CVE-2018-11233).

Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting "../" into the name. We now enforce some rules for submodule names which will cause Git to ignore these malicious names (CVE-2018-11235).

References

https://advisories.mageia.org/MGASA-2018-0267.html
https://bugs.mageia.org/show_bug.cgi?id=23096
http://lkml.iu.edu/hypermail/linux/kernel/1805.3/05909.html

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

MGASA-2018-0267

Affected packages