Bug 2280484 (CVE-2024-32021)

Summary: CVE-2024-32021 git: symlink bypass
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aprice, bdettelb, caswilli, chazlett, dfreiber, dkuc, drow, fjansen, gmalinko, hhorak, hkataria, janstey, jburrell, jmitchel, jorton, jsamir, jsherril, jtanner, kaycoth, kshier, mpierce, opohorel, orabin, pdelbell, rstepani, sidakwo, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git 2.45.1, git 2.44.1, git 2.43.4, git 2.42.2, git 2.41.1 , git 2.40.2, git 2.39.4 Doc Type: ---
Doc Text:
A vulnerability was found in Git. This flaw allows an unauthenticated attacker to place a repository on their target's local system that contains symlinks. During the cloning process, Git could be tricked into creating hardlinked arbitrary files into their repository's objects/ directory, impacting availability and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2280485, 2280486, 2280487, 2280488, 2280489, 2280490    
Bug Blocks: 2280416    

Description Nick Tait 2024-05-15 00:05:31 UTC 
When cloning a local source repository that contains symlinks via the
filesystem, Git may create hardlinks to arbitrary user-readable files on the
same filesystem as the target repository in the objects/ directory.
Comment 1 Nick Tait 2024-05-15 00:06:39 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 2280488]


Created rubygem-dynect_rest tracking bugs for this issue:

Affects: epel-all [bug 2280485]


Created rubygem-rouge tracking bugs for this issue:

Affects: fedora-all [bug 2280486]


Created rubygem-stringex tracking bugs for this issue:

Affects: fedora-all [bug 2280489]


Created swiftlint tracking bugs for this issue:

Affects: fedora-all [bug 2280487]
Comment 5 errata-xmlrpc 2024-06-25 08:18:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4084 https://access.redhat.com/errata/RHSA-2024:4084
Comment 6 errata-xmlrpc 2024-06-25 08:24:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4083 https://access.redhat.com/errata/RHSA-2024:4083
Comment 8 errata-xmlrpc 2024-07-08 11:22:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4368 https://access.redhat.com/errata/RHSA-2024:4368