Bug 1204456 - (CVE-2022-39260) VUL-0: CVE-2022-39260: git: overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution
(CVE-2022-39260)
VUL-0: CVE-2022-39260: git: overflow in `split_cmdline()`, leading to arbitra...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/345615/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-10-19 06:39 UTC by Alexander Bergmann
Modified: 2022-11-29 17:33 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Upstream fix for CVE-2022-39260 (2.98 KB, patch)
2022-10-19 07:31 UTC, Alexander Bergmann
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-10-19 06:39:41 UTC
CVE-2022-39260

Posted by Taylor Blau on Oct 18The Git project released new versions on 2022-10-18, addressing CVEs
2022-39253, 2022-39260. We highly recommend upgrading to one of the
fixed versions below:

  v2.30.6 v2.31.5 v2.32.4 v2.33.5 v2.34.5 v2.35.5 v2.36.3 v2.37.4 v2.38.1

If you are on the unreleased development track, the same fix is
already included, so you do not have to do anything.

https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u

The relevant information from the...

CVE-2022-39260:
   An overly-long command string given to `git shell` can result in
   overflow in `split_cmdline()`, leading to arbitrary heap writes and
   remote code execution when `git shell` is exposed and the directory
   `$HOME/git-shell-commands` exists.

   `git shell` is taught to refuse interactive commands that are
   longer than 4MiB in size. `split_cmdline()` is hardened to reject
   inputs larger than 2GiB.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39260
https://seclists.org/oss-sec/2022/q4/31
Comment 1 Alexander Bergmann 2022-10-19 07:31:34 UTC
Created attachment 862255 [details]
Upstream fix for CVE-2022-39260

Commit: 0ca6ead81edd4fb1984b69aae87c1189e3025530
Comment 6 OBSbugzilla Bot 2022-10-26 20:35:05 UTC
This is an autogenerated message for OBS integration:
This bug (1204456) was mentioned in
https://build.opensuse.org/request/show/1031390 Factory / git
Comment 7 Swamp Workflow Management 2022-11-10 14:29:52 UTC
SUSE-SU-2022:3931-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1204455,1204456
CVE References: CVE-2022-39253,CVE-2022-39260
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    git-2.35.3-150300.10.18.1
openSUSE Leap 15.3 (src):    git-2.35.3-150300.10.18.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    git-2.35.3-150300.10.18.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    git-2.35.3-150300.10.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    git-2.35.3-150300.10.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    git-2.35.3-150300.10.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-11-29 17:33:21 UTC
SUSE-SU-2022:4271-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1204455,1204456
CVE References: CVE-2022-39253,CVE-2022-39260
JIRA References: 
Sources used:
SUSE OpenStack Cloud 8 (src):    git-2.26.2-27.60.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    git-2.26.2-27.60.1
SUSE Linux Enterprise Server 12-SP5 (src):    git-2.26.2-27.60.1
HPE Helion Openstack 8 (src):    git-2.26.2-27.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.