Bugzilla – Bug 1063412
VUL-1: CVE-2017-15298: git: Mishandling layers of tree objects, which allows remote attackers to cause DoS a crafted repository, aka a Git bomb
Last modified: 2020-09-24 13:37:02 UTC
CVE-2017-15298 Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15298 http://www.cvedetails.com/cve/CVE-2017-15298/ https://github.com/Katee/git-bomb https://kate.io/blog/git-bomb/
Reproducible on 2.15.0
Upstream fix: https://github.com/git/git/commit/a937b37e766479c8e780b17cce9c4b252fd97e40
Sigh, this was overseen again during my vacation. The fixed package was submitted: Leap 42.3, MR#594024 SLE12, MR#161218 SLE11-SP1, MR#161219
Reassigned back to security team.
This is an autogenerated message for OBS integration: This bug (1063412) was mentioned in https://build.opensuse.org/request/show/594024 42.3 / git
openSUSE-SU-2018:0914-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1063412 CVE References: CVE-2017-15298 Sources used: openSUSE Leap 42.3 (src): git-2.13.6-10.1
There is no fix forthcoming from upstream, so I think we may leave it as is.
Reassigned to the new git package maintainer.
(In reply to previous private comment) I guess this bug (as it is tested here) can not be fixed because the actual checkout is huge and it will always be huge because of blobs (just imagine what would happen if you made a change in one file, how big would the diff be, it has to track every path...). The only thing which can be done (I think) is to teach git to refuse to do the checkout.
SUSE-SU-2020:1121-1: An update that solves 15 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936 CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): git-2.26.1-3.25.2 SUSE Linux Enterprise Module for Development Tools 15-SP1 (src): git-2.26.1-3.25.2 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): git-2.26.1-3.25.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0598-1: An update that solves 15 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936 CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260 Sources used: openSUSE Leap 15.1 (src): git-2.26.1-lp151.4.9.1
Released.