Slackware: 2018-152-01 Moderate: Git Submodule Path Exploit
slackware
June 1, 2018
New git packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues
Summary
Here are the details from the Slackware 14.2 ChangeLog: patches/packages/git-2.14.4-i586-1_slack14.2.txz: Upgraded. This update fixes security issues: Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting "../" into the name. We now enforce some rules for submodule names which will cause Git to ignore these malicious names (CVE-2018-11235). Credit for finding this vulnerability and the proof of concept from which the test script was adapted goes to Etienne Stalmans. It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory (CVE-2018-11233). Credit for fixing for these bugs goes to Jeff King, Johannes Schindelin and others. For more information, see: https://www.cve.org/CVERecord?id=CVE-2018-11235 https://www.cve.org/CVERecord?id=CVE-2018-11233 (* Security fix *)
Topics Covered
Where Find New Packages
Thanks to the friendly folks at the OSU Open Source Lab
(https://osuosl.org/) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://www.slackware.com/ for
additional mirror sites near you.
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/git-2.14.4-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/git-2.14.4-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/git-2.14.4-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/git-2.14.4-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/git-2.14.4-i486-1_slack13.37.txz
Updated package for Slackware x86_64 1...
MD5 Signatures
Slackware 13.0 package:
c2ad84d5f0e51131c349320231c08675 git-2.14.4-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
7ae974e6cbf9e9952c3b23704932a20e git-2.14.4-x86_64-1_slack13.0.txz
Slackware 13.1 package:
c67fd56d50a633af8a73d1e798d53130 git-2.14.4-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
76a36b0566a6740ccb1f84471ec5982d git-2.14.4-x86_64-1_slack13.1.txz
Slackware 13.37 package:
959c467327d3e13c3f695f44bd23966a git-2.14.4-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
a7ae74f2bf301ae0692277150cb9f62d git-2.14.4-x86_64-1_slack13.37.txz
Slackware 14.0 package:
f649ba29533e529695629f3ced5cfb60 git-2.14.4-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
72a672d0b644c292a0e0347587ddd410 git-2.14.4-x86_64-1_slack14.0.txz
Slackware 14.1 package:
95b25602b3eddcf093afa3856a5b63c9 git-2.14.4-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
f8005eaedd8defc142a18a0fb19b3f68 git-2.14.4-x86_64-1_slack14.1.txz
Slackware 14.2 package:
fa6d08ddf2f760f314206a04faeeb02e git-2.14.4-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
37e04e3f2fb8a348ef7a79e4174aa18b git-2.14.4-x86_64-1_slack14.2.txz
Slackware -current package:
a4d94a8d81e823f4cd745f6760700cc1 d/git-2.17.1-i586-1.txz
Slackware x86_64 -current package:
a87963571a912a32e120a396d09bd1eb d/git-2.17.1-x86_64-1.txz
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Installation Instructions
Installation instructions: Upgrade the package as root: # upgradepkg git-2.14.4-i586-1_slack14.2.txz
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!