See https://secure.phabricator.com/T13673 for full details.
This is mostly recorded for completeness; TL;DR is (1) Likely no real security risk to installs, but (2) some Ubuntu-based installs may be broken due to security fix.
Upstream might fix the fix by updating bunch of call-sites to git in the web/conduit flows.
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Open | None | T15090 CVE-2022-24765 - Multi-user Git Privilege Escalation | ||
| Open | None | T15282 Fix/avoid/simplify similar fatal: detected dubious ownership in repository at '/var/www/phorge' | ||
| Resolved | valerio.bozzolan | T15243 The /config/ page should log git errors instead of silently ignore them | ||
| Open | None | T15299 Config page runs git commands that should have an HOME to open gitconfig correctly | ||
| Open | None | T15281 $HOME missing from commands issued by ExecFuture | ||
| Resolved | valerio.bozzolan | T15298 Get the HOME of the user running the PHP webserver |
err, I was trying to put it out as a Security PSA, so I clicked "Create security task" which I guess is the opposite of a PSA...
We need to cherry-pick and import the changes Evan made into the Phorge repository as well...
@avivey Would it make sense to add a public announcement to Diviner or Phiction? Or perhaps we use Phame for this use case (Create a "Security Incidents" blog)? I always think of a task as an actionable item, whereas we would want this to exist forever.
ahh, I was wondering why my Phorge install suddenly broke - seems to be the case here too
apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:
git (1:2.25.1-1ubuntu3.3) focal-security; urgency=medium
* SECURITY UPDATE: Run commands in diff users
- debian/patches/CVE-2022-24765-*.patch: fix GIT_CEILING_DIRECTORIES; add
an owner check for the top-level-directory; add a function to
determine whether a path is owned by the current user in patch.c,
t/t0060-path-utils.sh, setup.c, compat/mingw.c, compat/mingw.h,
git-compat-util.h.
- CVE-2022-24765
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Fri, 08 Apr 2022 09:57:16 -0300
git (1:2.25.1-1ubuntu3.2) focal-security; urgency=medium
* SECURITY UPDATE: cross-protocol request via newline character in repo path
- debian/patches/CVE-2021-40330.patch: forbid newline in git:// hosts and
repo paths
- CVE-2021-40330
-- Spyros Seimenis <spyros.seimenis@canonical.com> Thu, 09 Sep 2021 14:42:33 +0300
git (1:2.25.1-1ubuntu3.1) focal-security; urgency=medium
* SECURITY UPDATE: remote code exec during clone on case-insensitive FS
- debian/patches/CVE-2021-21300.patch: fix bug that makes checkout
follow symlinks in leading path in cache.h, compat/mingw.c,
git-compat-util.h, run-command.c, symlinks.c, t/t0021-conversion.sh,
t/t0021/rot13-filter.pl, t/t2006-checkout-index-basic.sh,
unpack-trees.c.
- CVE-2021-21300
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 04 Mar 2021 08:01:28 -0500The two other patches don't seem to be of particular interest for most Phorge instances, though more exotic setups might have issues with the first (oldest) one not being included
I don't think having people downgrade is a good idea. I think we should probably cherry-pick Evan's fix from upstream into the phorge codebase.
seems to be a temporary workaround
It was especially aimed at this phorge here - to get it work until the fix is pulled in from upstream.
@avivey Would it make sense to add a public announcement to Diviner or Phiction? Or perhaps we use Phame for this use case (Create a "Security Incidents" blog)? I always think of a task as an actionable item, whereas we would want this to exist forever.
Yes, probably. "Announcements"-style thing