Bug 1583888 (CVE-2018-11233) - CVE-2018-11233 git: path sanity check in is_ntfs_dotgit() can read arbitrary memory
Summary: CVE-2018-11233 git: path sanity check in is_ntfs_dotgit() can read arbitrary ...
Status: CLOSED ERRATA
Alias: CVE-2018-11233
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180530,repor...
Keywords: Security
Depends On: 1583890 1583891 1584241 1593733
Blocks: 1583883
TreeView+ depends on / blocked
 
Reported: 2018-05-30 00:43 UTC by Sam Fowler
Modified: 2019-06-08 22:54 UTC (History)
51 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-07-10 08:54:18 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2147 None None None 2018-07-10 08:35 UTC

Description Sam Fowler 2018-05-30 00:43:05 UTC
Git before versions 2.13.7, 2.14.4, 2.15.2, 2.16.4 and 2.17.1 performs path
sanity-checks in is_ntfs_dotgit():path.c that can be fooled into reading
arbitrary memory.

Upstream announcement:
https://marc.info/?l=git&m=152761328506724&w=2

Comment 1 Sam Fowler 2018-05-30 01:11:16 UTC
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1583890]

Comment 7 Riccardo Schirone 2018-05-31 11:25:38 UTC
Statement:

This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6 and 7 as they did not include the vulnerable code.

Comment 8 Fedora Update System 2018-06-01 12:04:37 UTC
git-2.17.1-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2018-07-10 08:34:50 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2018:2147 https://access.redhat.com/errata/RHSA-2018:2147


Note You need to log in before you can comment on or make changes to this bug.