Bug 1158785 – VUL-0: CVE-2019-1348: git: The --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths

Bug 1158785 - (CVE-2019-1348) VUL-0: CVE-2019-1348: git: The --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths

(CVE-2019-1348)
Summary:	VUL-0: CVE-2019-1348: git: The --export-marks option of fast-import is expose...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/248578/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-12-09 12:46 UTC by Wolfgang Frisch
Modified:	2020-05-01 22:27 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2019-1349 CVE-2019-1350 CVE-2019-1351 CVE-2019-1352 CVE-2019-1353 CVE-2019-1354 CVE-2019-1387 CVE-2019-19604
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 10 Swamp Workflow Management 2019-12-11 07:20:06 UTC

This is an autogenerated message for OBS integration:
This bug (1158785) was mentioned in
https://build.opensuse.org/request/show/755723 Factory / git

Comment 12 Swamp Workflow Management 2019-12-11 09:50:16 UTC

This is an autogenerated message for OBS integration:
This bug (1158785) was mentioned in
https://build.opensuse.org/request/show/755763 15.1 / git

Comment 13 Andreas Stieger 2019-12-12 12:18:17 UTC

Please also evaluate against libgit2 for a maintenance update:
https://github.com/libgit2/libgit2/releases/tag/v0.27.10
https://github.com/libgit2/libgit2/releases/tag/v0.28.4

https://build.opensuse.org/request/show/756053

Comment 14 Swamp Workflow Management 2019-12-16 17:11:36 UTC

SUSE-SU-2019:3311-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1082023,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795
CVE References: CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604
Sources used:
SUSE OpenStack Cloud 8 (src):    git-2.12.3-27.22.1
SUSE OpenStack Cloud 7 (src):    git-2.12.3-27.22.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    git-2.12.3-27.22.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    git-2.12.3-27.22.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    git-2.12.3-27.22.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    git-2.12.3-27.22.1
SUSE Linux Enterprise Server 12-SP5 (src):    git-2.12.3-27.22.1
SUSE Linux Enterprise Server 12-SP4 (src):    git-2.12.3-27.22.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    git-2.12.3-27.22.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    git-2.12.3-27.22.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    git-2.12.3-27.22.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    git-2.12.3-27.22.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    git-2.12.3-27.22.1
SUSE Enterprise Storage 5 (src):    git-2.12.3-27.22.1
SUSE CaaS Platform 3.0 (src):    git-2.12.3-27.22.1
HPE Helion Openstack 8 (src):    git-2.12.3-27.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2020-01-08 17:16:17 UTC

SUSE-SU-2020:0045-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1082023,1149792,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795
CVE References: CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    git-2.16.4-3.17.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    git-2.16.4-3.17.2
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    git-2.16.4-3.17.2, perl-Authen-SASL-2.16-1.3.1, perl-Net-SMTP-SSL-1.04-1.3.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    git-2.16.4-3.17.2, perl-Authen-SASL-2.16-1.3.1, perl-Net-SMTP-SSL-1.04-1.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    git-2.16.4-3.17.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    git-2.16.4-3.17.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Markéta Machová 2020-01-10 09:45:14 UTC

Probably fixed. Reassigning back to security team.

Comment 17 Swamp Workflow Management 2020-01-29 11:12:00 UTC

openSUSE-SU-2020:0123-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1082023,1149792,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795
CVE References: CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604
Sources used:
openSUSE Leap 15.1 (src):    git-2.16.4-lp151.4.3.1, perl-Authen-SASL-2.16-lp151.3.3.1, perl-Net-SMTP-SSL-1.04-lp151.3.3.1

Comment 18 Alexandros Toptsoglou 2020-04-24 15:11:05 UTC

Done

Comment 19 Swamp Workflow Management 2020-04-28 10:36:59 UTC

SUSE-SU-2020:1121-1: An update that solves 15 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936
CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    git-2.26.1-3.25.2
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    git-2.26.1-3.25.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    git-2.26.1-3.25.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2020-05-01 22:27:53 UTC

openSUSE-SU-2020:0598-1: An update that solves 15 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1063412,1095218,1095219,1110949,1112230,1114225,1132350,1149792,1156651,1158785,1158787,1158788,1158789,1158790,1158791,1158792,1158793,1158795,1167890,1168930,1169605,1169786,1169936
CVE References: CVE-2017-15298,CVE-2018-11233,CVE-2018-11235,CVE-2018-17456,CVE-2019-1348,CVE-2019-1349,CVE-2019-1350,CVE-2019-1351,CVE-2019-1352,CVE-2019-1353,CVE-2019-1354,CVE-2019-1387,CVE-2019-19604,CVE-2020-11008,CVE-2020-5260
Sources used:
openSUSE Leap 15.1 (src):    git-2.26.1-lp151.4.9.1