MGASA-2018-0267

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2018-0267.html

Import Source

https://advisories.mageia.org/MGASA-2018-0267.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2018-0267

Related

Published

2018-06-03T11:02:21Z

Modified

2018-06-03T10:45:33Z

Summary

Updated git packages fix security vulnerabilities

Details

It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory (CVE-2018-11233).

Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting "../" into the name. We now enforce some rules for submodule names which will cause Git to ignore these malicious names (CVE-2018-11235).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / git

Package

Name: git
Purl: pkg:rpm/mageia/git?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.13.7-1.mga6

Ecosystem specific

{
    "section": "core"
}