Bug 1098062 - (CVE-2018-10857) VUL-0: CVE-2018-10857: git-annex: file content disclosure
(CVE-2018-10857)
VUL-0: CVE-2018-10857: git-annex: file content disclosure
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/208427/
obs:running:10796:moderate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-18 14:42 UTC by Marcus Meissner
Modified: 2019-08-13 14:45 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2018-06-19 05:21:07 UTC
CVE-2018-10857
Comment 3 Peter Simons 2018-06-20 11:04:23 UTC
git-annex is very good at remaining backwards compatible to older versions. I don't see any risks in performing a full update to the latest version in Leap 15.0 and possibly 42.3, too. I have prepared such an update in https://build.opensuse.org/package/show/devel:languages:haskell:lts:9/git-annex already. Once the new version comes out, I intend to update that missing step and to submit the full update to Leap. Factory and SLES are not affected.
Comment 4 Marcus Meissner 2018-06-27 05:49:12 UTC
is public now

CVE-2018-10857: Some uses of git-annex were vulnerable to a private data                                                                                                                     
exposure and exfiltration attack. It could expose the content of files                                                                                                                       
located outside the git-annex repository, or content from a private web                                                                                                                      
server on localhost or the LAN. Joey Hess discovered this attack.
Comment 6 Swamp Workflow Management 2018-06-27 12:40:10 UTC
This is an autogenerated message for OBS integration:
This bug (1098062) was mentioned in
https://build.opensuse.org/request/show/619363 15.0 / git-annex
https://build.opensuse.org/request/show/619364 42.3 / git-annex
https://build.opensuse.org/request/show/619365 Backports:SLE-12 / git-annex
Comment 7 Andreas Stieger 2018-06-30 09:53:07 UTC
> https://build.opensuse.org/request/show/619365 Backports:SLE-12 / git-annex

Simon, can you please check the build failures in the incident and indicate any missing change, dependencies or configuration?

https://build.opensuse.org/package/show/openSUSE:Maintenance:8372/git-annex.openSUSE_Backports_SLE-12
Comment 8 Peter Simons 2018-06-30 17:18:04 UTC
(In reply to Andreas Stieger from comment #7)
> https://build.opensuse.org/package/show/openSUSE:Maintenance:8372/git-annex.
> openSUSE_Backports_SLE-12

The build failed because the version of "ghc-network" present in that project lack two functions that git-annex assumes to be there. I added a patch to git-annex to fix that issue in this code stream. https://build.opensuse.org/request/show/619934 has the updated version.
Comment 9 Swamp Workflow Management 2018-06-30 18:30:05 UTC
This is an autogenerated message for OBS integration:
This bug (1098062) was mentioned in
https://build.opensuse.org/request/show/619936 Backports:SLE-12 / git-annex
https://build.opensuse.org/request/show/619939 42.3 / git-annex
https://build.opensuse.org/request/show/619940 15.0 / git-annex
Comment 10 Andreas Stieger 2018-07-05 18:16:39 UTC
done
Comment 11 Swamp Workflow Management 2018-07-05 22:09:37 UTC
openSUSE-SU-2018:1896-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1098062,1098364
CVE References: CVE-2018-10857,CVE-2018-10859
Sources used:
openSUSE Leap 42.3 (src):    git-annex-6.20180626-8.1
openSUSE Leap 15.0 (src):    git-annex-6.20180626-lp150.2.5.1
Comment 12 Swamp Workflow Management 2018-07-05 22:10:08 UTC
openSUSE-SU-2018:1897-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1098062,1098364
CVE References: CVE-2018-10857,CVE-2018-10859
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    git-annex-6.20180626-7.1