Bug 2280466 (CVE-2024-32020) - CVE-2024-32020 git: insecure hardlinks
Summary: CVE-2024-32020 git: insecure hardlinks
Keywords:
Status: NEW
Alias: CVE-2024-32020
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2280467 2280468 2280469 2280470 2280471 2280473 2280474 2280475 2280476 2280477 2280478
Blocks: 2280416
TreeView+ depends on / blocked
 
Reported: 2024-05-14 23:52 UTC by Nick Tait
Modified: 2024-07-11 14:28 UTC (History)
27 users (show)

Fixed In Version: git 2.45.1, git 2.44.1, git 2.43.4, git 2.42.2, git 2.41.1 , git 2.40.2, git 2.39.4
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:4093 0 None None None 2024-06-25 11:24:47 UTC
Red Hat Product Errata RHBA-2024:4094 0 None None None 2024-06-25 11:22:49 UTC
Red Hat Product Errata RHBA-2024:4095 0 None None None 2024-06-25 11:24:00 UTC
Red Hat Product Errata RHBA-2024:4096 0 None None None 2024-06-25 11:24:31 UTC
Red Hat Product Errata RHBA-2024:4097 0 None None None 2024-06-25 11:39:52 UTC
Red Hat Product Errata RHBA-2024:4100 0 None None None 2024-06-25 14:35:48 UTC
Red Hat Product Errata RHBA-2024:4130 0 None None None 2024-06-26 14:29:16 UTC
Red Hat Product Errata RHBA-2024:4169 0 None None None 2024-06-27 15:37:35 UTC
Red Hat Product Errata RHBA-2024:4171 0 None None None 2024-06-27 15:42:11 UTC
Red Hat Product Errata RHBA-2024:4180 0 None None None 2024-07-01 01:09:43 UTC
Red Hat Product Errata RHBA-2024:4185 0 None None None 2024-07-01 07:13:01 UTC
Red Hat Product Errata RHBA-2024:4186 0 None None None 2024-07-01 07:23:38 UTC
Red Hat Product Errata RHBA-2024:4380 0 None None None 2024-07-08 14:49:41 UTC
Red Hat Product Errata RHBA-2024:4513 0 None None None 2024-07-11 14:28:56 UTC
Red Hat Product Errata RHSA-2024:4083 0 None None None 2024-06-25 08:24:37 UTC
Red Hat Product Errata RHSA-2024:4084 0 None None None 2024-06-25 08:18:49 UTC
Red Hat Product Errata RHSA-2024:4368 0 None None None 2024-07-08 11:21:58 UTC

Description Nick Tait 2024-05-14 23:52:09 UTC 
Local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user.
Comment 1 Nick Tait 2024-05-14 23:52:50 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 2280470]


Created rubygem-dynect_rest tracking bugs for this issue:

Affects: epel-all [bug 2280467]


Created rubygem-rouge tracking bugs for this issue:

Affects: fedora-all [bug 2280468]


Created rubygem-stringex tracking bugs for this issue:

Affects: fedora-all [bug 2280471]


Created swiftlint tracking bugs for this issue:

Affects: fedora-all [bug 2280469]
Comment 2 Nick Tait 2024-05-14 23:53:22 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 2280476]


Created rubygem-dynect_rest tracking bugs for this issue:

Affects: epel-all [bug 2280473]


Created rubygem-rouge tracking bugs for this issue:

Affects: fedora-all [bug 2280474]


Created rubygem-stringex tracking bugs for this issue:

Affects: fedora-all [bug 2280477]


Created swiftlint tracking bugs for this issue:

Affects: fedora-all [bug 2280475]
Comment 6 errata-xmlrpc 2024-06-25 08:18:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4084 https://access.redhat.com/errata/RHSA-2024:4084
Comment 7 errata-xmlrpc 2024-06-25 08:24:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4083 https://access.redhat.com/errata/RHSA-2024:4083
Comment 9 errata-xmlrpc 2024-07-08 11:21:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4368 https://access.redhat.com/errata/RHSA-2024:4368
Note You need to log in before you can comment on or make changes to this bug.