Bug 1204456 (CVE-2022-39260)

Summary: VUL-0: CVE-2022-39260: git: overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, danilo.spinella, rfrohl, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/345615/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Upstream fix for CVE-2022-39260

Description Alexander Bergmann 2022-10-19 06:39:41 UTC 
CVE-2022-39260

Posted by Taylor Blau on Oct 18The Git project released new versions on 2022-10-18, addressing CVEs
2022-39253, 2022-39260. We highly recommend upgrading to one of the
fixed versions below:

  v2.30.6 v2.31.5 v2.32.4 v2.33.5 v2.34.5 v2.35.5 v2.36.3 v2.37.4 v2.38.1

If you are on the unreleased development track, the same fix is
already included, so you do not have to do anything.

https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u

The relevant information from the...

CVE-2022-39260:
   An overly-long command string given to `git shell` can result in
   overflow in `split_cmdline()`, leading to arbitrary heap writes and
   remote code execution when `git shell` is exposed and the directory
   `$HOME/git-shell-commands` exists.

   `git shell` is taught to refuse interactive commands that are
   longer than 4MiB in size. `split_cmdline()` is hardened to reject
   inputs larger than 2GiB.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39260
https://seclists.org/oss-sec/2022/q4/31
Comment 1 Alexander Bergmann 2022-10-19 07:31:34 UTC 
Created attachment 862255 [details]
Upstream fix for CVE-2022-39260

Commit: 0ca6ead81edd4fb1984b69aae87c1189e3025530
Comment 6 OBSbugzilla Bot 2022-10-26 20:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1204456) was mentioned in
https://build.opensuse.org/request/show/1031390 Factory / git
Comment 7 Swamp Workflow Management 2022-11-10 14:29:52 UTC 
SUSE-SU-2022:3931-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1204455,1204456
CVE References: CVE-2022-39253,CVE-2022-39260
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    git-2.35.3-150300.10.18.1
openSUSE Leap 15.3 (src):    git-2.35.3-150300.10.18.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    git-2.35.3-150300.10.18.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    git-2.35.3-150300.10.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    git-2.35.3-150300.10.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    git-2.35.3-150300.10.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-11-29 17:33:21 UTC 
SUSE-SU-2022:4271-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1204455,1204456
CVE References: CVE-2022-39253,CVE-2022-39260
JIRA References: 
Sources used:
SUSE OpenStack Cloud 8 (src):    git-2.26.2-27.60.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    git-2.26.2-27.60.1
SUSE Linux Enterprise Server 12-SP5 (src):    git-2.26.2-27.60.1
HPE Helion Openstack 8 (src):    git-2.26.2-27.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2023-02-15 14:33:13 UTC 
SUSE-SU-2023:0418-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1204455,1204456,1208027,1208028
CVE References: CVE-2022-39253,CVE-2022-39260,CVE-2023-22490,CVE-2023-23946
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    git-2.26.2-150000.47.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    git-2.26.2-150000.47.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    git-2.26.2-150000.47.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    git-2.26.2-150000.47.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    git-2.26.2-150000.47.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    git-2.26.2-150000.47.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    git-2.26.2-150000.47.1
SUSE Enterprise Storage 7 (src):    git-2.26.2-150000.47.1
SUSE CaaS Platform 4.0 (src):    git-2.26.2-150000.47.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.