Page MenuHomePhorge

CVE-2022-24765 - Multi-user Git Privilege Escalation
Open, Needs TriagePublic

Description

See https://secure.phabricator.com/T13673 for full details.


This is mostly recorded for completeness; TL;DR is (1) Likely no real security risk to installs, but (2) some Ubuntu-based installs may be broken due to security fix.

Upstream might fix the fix by updating bunch of call-sites to git in the web/conduit flows.

Event Timeline

err, I was trying to put it out as a Security PSA, so I clicked "Create security task" which I guess is the opposite of a PSA...

avivey changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 13 2022, 18:10
avivey shifted this object from the Restricted Space space to the S1 Public space.

We need to cherry-pick and import the changes Evan made into the Phorge repository as well...

@avivey Would it make sense to add a public announcement to Diviner or Phiction? Or perhaps we use Phame for this use case (Create a "Security Incidents" blog)? I always think of a task as an actionable item, whereas we would want this to exist forever.

ahh, I was wondering why my Phorge install suddenly broke - seems to be the case here too

apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:

git (1:2.25.1-1ubuntu3.3) focal-security; urgency=medium

  * SECURITY UPDATE: Run commands in diff users
    - debian/patches/CVE-2022-24765-*.patch: fix GIT_CEILING_DIRECTORIES; add
      an owner check for the top-level-directory; add a function to
      determine whether a path is owned by the current user in patch.c,
      t/t0060-path-utils.sh, setup.c, compat/mingw.c, compat/mingw.h,
      git-compat-util.h.
    - CVE-2022-24765

 -- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com>  Fri, 08 Apr 2022 09:57:16 -0300

git (1:2.25.1-1ubuntu3.2) focal-security; urgency=medium

  * SECURITY UPDATE: cross-protocol request via newline character in repo path
    - debian/patches/CVE-2021-40330.patch: forbid newline in git:// hosts and
      repo paths
    - CVE-2021-40330

 -- Spyros Seimenis <spyros.seimenis@canonical.com>  Thu, 09 Sep 2021 14:42:33 +0300

git (1:2.25.1-1ubuntu3.1) focal-security; urgency=medium

  * SECURITY UPDATE: remote code exec during clone on case-insensitive FS
    - debian/patches/CVE-2021-21300.patch: fix bug that makes checkout
      follow symlinks in leading path in cache.h, compat/mingw.c,
      git-compat-util.h, run-command.c, symlinks.c, t/t0021-conversion.sh,
      t/t0021/rot13-filter.pl, t/t2006-checkout-index-basic.sh,
      unpack-trees.c.
    - CVE-2021-21300

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 04 Mar 2021 08:01:28 -0500

The two other patches don't seem to be of particular interest for most Phorge instances, though more exotic setups might have issues with the first (oldest) one not being included

apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:

I don't think having people downgrade is a good idea. I think we should probably cherry-pick Evan's fix from upstream into the phorge codebase.

apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:

I don't think having people downgrade is a good idea. I think we should probably cherry-pick Evan's fix from upstream into the phorge codebase.

seems to be a temporary workaround

It was especially aimed at this phorge here - to get it work until the fix is pulled in from upstream.

@avivey Would it make sense to add a public announcement to Diviner or Phiction? Or perhaps we use Phame for this use case (Create a "Security Incidents" blog)? I always think of a task as an actionable item, whereas we would want this to exist forever.

Yes, probably. "Announcements"-style thing

In T15090#2141, @avivey wrote:

@avivey Would it make sense to add a public announcement to Diviner or Phiction? Or perhaps we use Phame for this use case (Create a "Security Incidents" blog)? I always think of a task as an actionable item, whereas we would want this to exist forever.

Yes, probably. "Announcements"-style thing

T15095: Setup an announcements blog with Phame