Bugzilla – Bug 1201431
VUL-0: CVE-2022-29187: git,libgit2: incomplete fix for CVE-2022-24765
Last modified: 2024-05-19 18:46:21 UTC
From https://lists.q42.co.uk/pipermail/git-announce/2022-July/001250.html Fixed in Git v2.37.1, v2.30.5, v2.31.4, v2.32.3, v2.33.4, v2.34.4, v2.35.4, and v2.36.2 CVE-2022-29187, where the fixes in v2.36.1 and below to address CVE-2022-24765 released earlier may not have been complete. * The safety check that verifies a safe ownership of the Git worktree is now extended to also cover the ownership of the Git directory (and the `.git` file, if there is any). https://github.com/git/git/commit/3b0bf2704980b1ed6018622bdf5377ec22289688
Also as previously there is a corresponding change to libgit2... https://github.com/libgit2/libgit2/releases/tag/v1.4.4 https://github.com/libgit2/libgit2/releases/tag/v1.3.2
Corresponding bug with the missing fix (CVE-2022-24765): bnc#1198234 Fix for git: see Andreas comment Affected git: - SUSE:SLE-12:Update/git 2.26.2 - SUSE:SLE-15:Update/git 2.26.2 - SUSE:SLE-15-SP3:Update/git 2.35.3 - openSUSE:Factory/git 2.37.0 Fix for libgit2: https://github.com/libgit2/libgit2/pull/6349 Affected libgit2: - SUSE:SLE-15-SP2:Update/libgit2 0.28.4 - SUSE:SLE-15:Update/libgit2 0.26.8 - SUSE:SLE-15-SP4:Update/libgit2 1.3.0 - openSUSE:Factory/libgit2 1.4.3
Factory fixes: https://build.opensuse.org/request/show/988913 https://build.opensuse.org/request/show/988914
SUSE-SU-2022:2535-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1200119,1201431 CVE References: CVE-2022-29187 JIRA References: Sources used: openSUSE Leap 15.4 (src): git-2.26.2-150000.41.1 openSUSE Leap 15.3 (src): git-2.26.2-150000.41.1 SUSE Manager Server 4.1 (src): git-2.26.2-150000.41.1 SUSE Manager Retail Branch Server 4.1 (src): git-2.26.2-150000.41.1 SUSE Manager Proxy 4.1 (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise Server for SAP 15 (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise Server 15-LTSS (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): git-2.26.2-150000.41.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): git-2.26.2-150000.41.1 SUSE Enterprise Storage 7 (src): git-2.26.2-150000.41.1 SUSE Enterprise Storage 6 (src): git-2.26.2-150000.41.1 SUSE CaaS Platform 4.0 (src): git-2.26.2-150000.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2537-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1200119,1201431 CVE References: CVE-2022-29187 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): git-2.26.2-27.57.1 SUSE OpenStack Cloud 9 (src): git-2.26.2-27.57.1 SUSE OpenStack Cloud 8 (src): git-2.26.2-27.57.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): git-2.26.2-27.57.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): git-2.26.2-27.57.1 SUSE Linux Enterprise Server 12-SP5 (src): git-2.26.2-27.57.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): git-2.26.2-27.57.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): git-2.26.2-27.57.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): git-2.26.2-27.57.1 HPE Helion Openstack 8 (src): git-2.26.2-27.57.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2550-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1201431 CVE References: CVE-2022-29187 JIRA References: Sources used: openSUSE Leap 15.4 (src): git-2.35.3-150300.10.15.1 openSUSE Leap 15.3 (src): git-2.35.3-150300.10.15.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): git-2.35.3-150300.10.15.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): git-2.35.3-150300.10.15.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): git-2.35.3-150300.10.15.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): git-2.35.3-150300.10.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Hu from comment #2) > Fix for libgit2: https://github.com/libgit2/libgit2/pull/6349 > > Affected libgit2: > - SUSE:SLE-15-SP2:Update/libgit2 0.28.4 > - SUSE:SLE-15:Update/libgit2 0.26.8 > - SUSE:SLE-15-SP4:Update/libgit2 1.3.0 Hi Scott, could you please submit a fix for these? :)
Any news Antonio?
I just submitted the following SRs to fix this: https://build.suse.de/request/show/279522 for SLE-15:Update https://build.suse.de/request/show/279523 for SLE-15-SP2:Update https://build.suse.de/request/show/279524 for SLE-15-SP4:Update
SUSE-SU-2022:3283-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1198234,1201431 CVE References: CVE-2022-24765,CVE-2022-29187 JIRA References: Sources used: openSUSE Leap 15.4 (src): libgit2-1.3.0-150400.3.3.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): libgit2-1.3.0-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3494-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1198234,1201431 CVE References: CVE-2022-24765,CVE-2022-29187 JIRA References: Sources used: openSUSE Leap 15.4 (src): libgit2-0.28.4-150200.3.3.1 openSUSE Leap 15.3 (src): libgit2-0.28.4-150200.3.3.1 SUSE Manager Server 4.1 (src): libgit2-0.28.4-150200.3.3.1 SUSE Manager Retail Branch Server 4.1 (src): libgit2-0.28.4-150200.3.3.1 SUSE Manager Proxy 4.1 (src): libgit2-0.28.4-150200.3.3.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): libgit2-0.28.4-150200.3.3.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): libgit2-0.28.4-150200.3.3.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): libgit2-0.28.4-150200.3.3.1 SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src): libgit2-0.28.4-150200.3.3.1 SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src): libgit2-0.28.4-150200.3.3.1 SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src): libgit2-0.28.4-150200.3.3.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): libgit2-0.28.4-150200.3.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): libgit2-0.28.4-150200.3.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): libgit2-0.28.4-150200.3.3.1 SUSE Enterprise Storage 7 (src): libgit2-0.28.4-150200.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3495-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1158790,1158981,1198234,1201431 CVE References: CVE-2019-1352,CVE-2022-24765,CVE-2022-29187 JIRA References: Sources used: openSUSE Leap 15.4 (src): libgit2-0.26.8-150000.3.15.1 openSUSE Leap 15.3 (src): libgit2-0.26.8-150000.3.15.1 SUSE Manager Server 4.1 (src): libgit2-0.26.8-150000.3.15.1 SUSE Manager Retail Branch Server 4.1 (src): libgit2-0.26.8-150000.3.15.1 SUSE Manager Proxy 4.1 (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise Server for SAP 15 (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise Server 15-LTSS (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): libgit2-0.26.8-150000.3.15.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): libgit2-0.26.8-150000.3.15.1 SUSE Enterprise Storage 7 (src): libgit2-0.26.8-150000.3.15.1 SUSE Enterprise Storage 6 (src): libgit2-0.26.8-150000.3.15.1 SUSE CaaS Platform 4.0 (src): libgit2-0.26.8-150000.3.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done