Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: dev-vcs/git #1611

Open
tormath1 opened this issue Jan 15, 2025 · 1 comment · May be fixed by flatcar/scripts#2614
Open

update: dev-vcs/git #1611

tormath1 opened this issue Jan 15, 2025 · 1 comment · May be fixed by flatcar/scripts#2614
Labels
advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS security security concerns

Comments

@tormath1
Copy link
Contributor

tormath1 commented Jan 15, 2025
edited by dongsupark
Loading

Name: dev-vcs/git
CVEs: CVE-2024-50349, CVE-2024-52005, CVE-2024-52006
CVSSs: 2.1, 7.5, 2.1
Action Needed: upgrade to >= v2.45.3

Summary:

  • CVE-2024-50349: Printing unsanitized URLs when asking for credentials makes the user susceptible to crafted URLs (e.g. in recursive clones). These URLs can mislead the user into typing in passwords for trusted sites that would then be sent to untrusted sites instead. A potential scenario of how this can be exploited is a recursive clone where one of the submodules prompts for a password, pretending to ask for a different host than the password will be sent to.
  • CVE-2024-52005: When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.
  • CVE-2024-52006: Git may pass on Carriage Returns via the credential protocol to credential helpers which use line-reading functions that interpret Carriage Returns as line endings, even though this is not what was intended (but Git’s documentation did not clarify that "newline" meant "Line Feed character"). This affected the popular .NET-based Git Credential Manager, which has been updated accordingly in coordination with the Git project.

refmap.gentoo: CVE-2024-{50349, 52006}: https://bugs.gentoo.org/948111, CVE-2024-52005: TBD
@tormath1 tormath1 added security security concerns advisory security advisory labels Jan 15, 2025
@tormath1 tormath1 added the cvss/LOW < 4 assessed CVSS label Jan 15, 2025
@github-actions github-actions bot mentioned this issue Jan 22, 2025
Closed
@dongsupark dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Jan 27, 2025
@krnowak krnowak linked a pull request Jan 27, 2025 that will close this issue
Draft
2 tasks
@dongsupark dongsupark added cvss/HIGH > 7 && < 9 assessed CVSS and removed cvss/LOW < 4 assessed CVSS labels Jan 28, 2025
@dongsupark
Copy link
Member

Added CVE-2024-52005.

@dongsupark dongsupark moved this from 🪵Backlog to ⚒️ In Progress in Flatcar tactical, release planning, and roadmap Jan 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS security security concerns
Projects
Flatcar tactical, release planning, and roadmap
Status: ⚒️ In Progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Weekly portage-stable package updates 2025-01-27 flatcar/scripts
2 participants
@dongsupark @tormath1