Bug 1201431 - (CVE-2022-29187) VUL-0: CVE-2022-29187: git,libgit2: incomplete fix for CVE-2022-24765
(CVE-2022-29187)
VUL-0: CVE-2022-29187: git,libgit2: incomplete fix for CVE-2022-24765
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Antonio Larrosa
E-mail List
CVSSv3.1:SUSE:CVE-2022-29187:7.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-12 18:33 UTC by Andreas Stieger
Modified: 2022-10-04 13:37 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2022-07-12 18:33:05 UTC
From https://lists.q42.co.uk/pipermail/git-announce/2022-July/001250.html

Fixed in Git v2.37.1, v2.30.5, v2.31.4, v2.32.3, v2.33.4,
v2.34.4, v2.35.4, and v2.36.2

CVE-2022-29187, where the fixes in v2.36.1 and below to address CVE-2022-24765 released earlier may not have been complete.

 * The safety check that verifies a safe ownership of the Git
   worktree is now extended to also cover the ownership of the Git
   directory (and the `.git` file, if there is any).

https://github.com/git/git/commit/3b0bf2704980b1ed6018622bdf5377ec22289688
Comment 1 Andreas Stieger 2022-07-12 18:48:42 UTC
Also as previously there is a corresponding change to libgit2...
https://github.com/libgit2/libgit2/releases/tag/v1.4.4
https://github.com/libgit2/libgit2/releases/tag/v1.3.2
Comment 2 Hu 2022-07-13 11:17:19 UTC
Corresponding bug with the missing fix (CVE-2022-24765): bnc#1198234

Fix for git: see Andreas comment

Affected git:
- SUSE:SLE-12:Update/git          2.26.2
- SUSE:SLE-15:Update/git          2.26.2
- SUSE:SLE-15-SP3:Update/git      2.35.3
- openSUSE:Factory/git            2.37.0

Fix for libgit2: https://github.com/libgit2/libgit2/pull/6349

Affected libgit2:
- SUSE:SLE-15-SP2:Update/libgit2  0.28.4
- SUSE:SLE-15:Update/libgit2      0.26.8
- SUSE:SLE-15-SP4:Update/libgit2  1.3.0
- openSUSE:Factory/libgit2        1.4.3
Comment 5 Swamp Workflow Management 2022-07-22 19:17:33 UTC
SUSE-SU-2022:2535-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1200119,1201431
CVE References: CVE-2022-29187
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    git-2.26.2-150000.41.1
openSUSE Leap 15.3 (src):    git-2.26.2-150000.41.1
SUSE Manager Server 4.1 (src):    git-2.26.2-150000.41.1
SUSE Manager Retail Branch Server 4.1 (src):    git-2.26.2-150000.41.1
SUSE Manager Proxy 4.1 (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise Server for SAP 15 (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise Server 15-LTSS (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    git-2.26.2-150000.41.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    git-2.26.2-150000.41.1
SUSE Enterprise Storage 7 (src):    git-2.26.2-150000.41.1
SUSE Enterprise Storage 6 (src):    git-2.26.2-150000.41.1
SUSE CaaS Platform 4.0 (src):    git-2.26.2-150000.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2022-07-22 19:18:31 UTC
SUSE-SU-2022:2537-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1200119,1201431
CVE References: CVE-2022-29187
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    git-2.26.2-27.57.1
SUSE OpenStack Cloud 9 (src):    git-2.26.2-27.57.1
SUSE OpenStack Cloud 8 (src):    git-2.26.2-27.57.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    git-2.26.2-27.57.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    git-2.26.2-27.57.1
SUSE Linux Enterprise Server 12-SP5 (src):    git-2.26.2-27.57.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    git-2.26.2-27.57.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    git-2.26.2-27.57.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    git-2.26.2-27.57.1
HPE Helion Openstack 8 (src):    git-2.26.2-27.57.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-07-26 16:18:25 UTC
SUSE-SU-2022:2550-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1201431
CVE References: CVE-2022-29187
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    git-2.35.3-150300.10.15.1
openSUSE Leap 15.3 (src):    git-2.35.3-150300.10.15.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    git-2.35.3-150300.10.15.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    git-2.35.3-150300.10.15.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    git-2.35.3-150300.10.15.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    git-2.35.3-150300.10.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Thomas Leroy 2022-08-10 08:40:25 UTC
(In reply to Hu from comment #2)
> Fix for libgit2: https://github.com/libgit2/libgit2/pull/6349
> 
> Affected libgit2:
> - SUSE:SLE-15-SP2:Update/libgit2  0.28.4
> - SUSE:SLE-15:Update/libgit2      0.26.8
> - SUSE:SLE-15-SP4:Update/libgit2  1.3.0

Hi Scott, could you please submit a fix for these? :)
Comment 10 Thomas Leroy 2022-09-08 13:35:56 UTC
Any news Antonio?
Comment 11 Antonio Larrosa 2022-09-13 10:20:16 UTC
I just submitted the following SRs to fix this:

https://build.suse.de/request/show/279522 for SLE-15:Update
https://build.suse.de/request/show/279523 for SLE-15-SP2:Update
https://build.suse.de/request/show/279524 for SLE-15-SP4:Update
Comment 12 Swamp Workflow Management 2022-09-15 19:25:41 UTC
SUSE-SU-2022:3283-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1198234,1201431
CVE References: CVE-2022-24765,CVE-2022-29187
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    libgit2-1.3.0-150400.3.3.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    libgit2-1.3.0-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-10-04 13:28:54 UTC
SUSE-SU-2022:3494-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1198234,1201431
CVE References: CVE-2022-24765,CVE-2022-29187
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    libgit2-0.28.4-150200.3.3.1
openSUSE Leap 15.3 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Manager Server 4.1 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Manager Retail Branch Server 4.1 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Manager Proxy 4.1 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    libgit2-0.28.4-150200.3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    libgit2-0.28.4-150200.3.3.1
SUSE Enterprise Storage 7 (src):    libgit2-0.28.4-150200.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2022-10-04 13:37:44 UTC
SUSE-SU-2022:3495-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1158790,1158981,1198234,1201431
CVE References: CVE-2019-1352,CVE-2022-24765,CVE-2022-29187
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    libgit2-0.26.8-150000.3.15.1
openSUSE Leap 15.3 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Manager Server 4.1 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Manager Retail Branch Server 4.1 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Manager Proxy 4.1 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server for SAP 15 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise Server 15-LTSS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libgit2-0.26.8-150000.3.15.1
SUSE Enterprise Storage 7 (src):    libgit2-0.26.8-150000.3.15.1
SUSE Enterprise Storage 6 (src):    libgit2-0.26.8-150000.3.15.1
SUSE CaaS Platform 4.0 (src):    libgit2-0.26.8-150000.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.