MGASA-2019-0393

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2019-0393.html

Import Source

https://advisories.mageia.org/MGASA-2019-0393.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2019-0393

Related

Published

2019-12-15T18:03:05Z

Modified

2019-12-15T17:45:59Z

Summary

Updated git packages fix security vulnerabilities

Details

The updated packages fix security vulnerabilities:

The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. (CVE-2019-1348)

When submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice. We now require the directory to be empty. (CVE-2019-1349)

Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. (CVE-2019-1387)

Arbitrary command execution is possible in Git before before 2.21.1, because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. (CVE-2019-19604)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

MGASA-2019-0393

Affected packages