-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 28 May 2018 16:30:30 -0700 Source: git Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all Architecture: source amd64 all Version: 1:2.1.4-2.1+deb8u6 Distribution: jessie-security Urgency: high Maintainer: Gerrit Pape <pape@smarden.org> Changed-By: Jonathan Nieder <jrnieder@gmail.com> Description: git - fast, scalable, distributed revision control system git-all - fast, scalable, distributed revision control system (all subpacka git-arch - fast, scalable, distributed revision control system (arch interop git-core - fast, scalable, distributed revision control system (obsolete) git-cvs - fast, scalable, distributed revision control system (cvs interope git-daemon-run - fast, scalable, distributed revision control system (git-daemon s git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s git-doc - fast, scalable, distributed revision control system (documentatio git-el - fast, scalable, distributed revision control system (emacs suppor git-email - fast, scalable, distributed revision control system (email add-on git-gui - fast, scalable, distributed revision control system (GUI) git-man - fast, scalable, distributed revision control system (manual pages git-mediawiki - fast, scalable, distributed revision control system (MediaWiki in git-svn - fast, scalable, distributed revision control system (svn interope gitk - fast, scalable, distributed revision control system (revision tre gitweb - fast, scalable, distributed revision control system (web interfac Changes: git (1:2.1.4-2.1+deb8u6) jessie-security; urgency=high . * Fix CVE-2018-11235, arbitrary code execution via submodule names in .gitmodules file: - submodule: verify submodule names as paths - fsck: drop inode-sorting code - fsck: simplify ".git" check - fsck: fsck blob data - fsck: detect gitmodules files - fsck: check .gitmodules content - fsck: call fsck_finish after fscking objects - unpack-objects: call fsck_finish after fscking objects - index-pack: check .gitmodules files with --strict * Fix CVE-2018-11233, out-of-bounds read when validating NTFS paths: - is_ntfs_dotgit: use a size_t for traversing string * Do not allow .gitmodules to be a symlink: - is_hfs_dotgit: loosen over-eager match of \u{..47} - is_hfs_dotgit: match other .git* files - is_ntfs_dotgit: match other .git* files - is_{hfs,ntfs}_dotgitmodules: add tests - skip_prefix: add case-insensitive variant - verify_path: drop clever fallthrough - verify_dotfile: mention case-insensitivity in comment - update-index: stat updated files earlier - verify_path: disallow .gitmodules symlinks - fsck: complain when .gitmodules is a symlink . Thanks to Brandon Williams, Etienne Stalmans, and Jeff King for discovering and reporting these vulnerabilities and to Jeff King and Johannes Schindelin for fixing them. . * Prevent "git apply" without --index from escaping the current directory (compare GNU patch's CVE-2015-1196): - apply: reject input that touches outside the working area - apply: do not read from the filesystem under --index - apply: do not read from beyond a symbolic link - apply: do not touch a file beyond a symbolic link . Thanks to Josh Boyer for reporting this vulnerability and Junio C Hamano for fixing it. Checksums-Sha1: d5a0e4a7f15a5d0037da1c2b80cd295f89cd7dd6 2846 git_2.1.4-2.1+deb8u6.dsc 91ea7b59ac1c30e24eff69cde6447a546ba44cf7 512872 git_2.1.4-2.1+deb8u6.debian.tar.xz cb5526fd6a4bea08baee54427dd420118a618b39 3707370 git_2.1.4-2.1+deb8u6_amd64.deb c5b2ef28b60a8340661b6b87089a4fedeadfa0fb 1410228 git-doc_2.1.4-2.1+deb8u6_all.deb 194893f090be252647d944b370a749a08b781f73 589468 git-arch_2.1.4-2.1+deb8u6_all.deb e54cc09f0546cd90e5fd81ce33abfe0bfdf1b5b9 639114 git-cvs_2.1.4-2.1+deb8u6_all.deb 88e0eb8cdd583cb3f50f79f3821e6a7c03f9e92e 663158 git-svn_2.1.4-2.1+deb8u6_all.deb a39381d435420a5b76794e755a76f50acb19359a 591804 git-mediawiki_2.1.4-2.1+deb8u6_all.deb bdb92c3c31791c63144adaabc4cd4ac64b759bed 577758 git-daemon-run_2.1.4-2.1+deb8u6_all.deb 0817a205820132629486be7ef77d8c7e6bb9dc16 578724 git-daemon-sysvinit_2.1.4-2.1+deb8u6_all.deb 7de2d8f02ea30d312331cbb620337ff8f34d3c39 595772 git-email_2.1.4-2.1+deb8u6_all.deb 15b6e7ff1dd17f622ef02821a070de95497056b2 767112 git-gui_2.1.4-2.1+deb8u6_all.deb 99b5ff26800337e44c7c31f05b40d06c9a3b029f 695764 gitk_2.1.4-2.1+deb8u6_all.deb b15cb1d1a5842182e5843950dede4759a4c80d7e 580634 gitweb_2.1.4-2.1+deb8u6_all.deb 0b85fbbd0d66c63ffda2887b273afc89514f99f5 576068 git-all_2.1.4-2.1+deb8u6_all.deb dec823cd3e901ed183a9b232be26bc109ce90a90 595716 git-el_2.1.4-2.1+deb8u6_all.deb 42e0871b9b3ed3c7db84d9791b3f83f2d6f2ef18 1268748 git-man_2.1.4-2.1+deb8u6_all.deb 6e324d380d546e1f25f4ef01aab53bc1c489a411 1506 git-core_2.1.4-2.1+deb8u6_all.deb Checksums-Sha256: 15400085501045140f322a3ce5579015a911571014d59cafd95f0bf982b0fc64 2846 git_2.1.4-2.1+deb8u6.dsc 782cb4ff810ca086d228711a1e3f0b5d743d9ba5dc7c221cb2bb596d1dd75c40 512872 git_2.1.4-2.1+deb8u6.debian.tar.xz 5a96fae0a234fc1e96da4911182917e82b05d2b3d47ef41b7ebcf25c7d7ebbeb 3707370 git_2.1.4-2.1+deb8u6_amd64.deb 1271670a62eea8322b635c88f334e95cac342fbc905c2f9de8c6e146176403d3 1410228 git-doc_2.1.4-2.1+deb8u6_all.deb 2315d5c2e2d1025a52a08963fabebf2c12251daa93c5a5e3d3ede8f713fbe880 589468 git-arch_2.1.4-2.1+deb8u6_all.deb 592735966d2f4f6a923255ccbb446f75de62920fe129ba79e26ae6218b8b01b2 639114 git-cvs_2.1.4-2.1+deb8u6_all.deb 280613bd15e2c4c55624bb81667c6fe250f07b384155684d2239f9c76961479c 663158 git-svn_2.1.4-2.1+deb8u6_all.deb d487a82c38caf4531702ee3936720e6b1685df663ce11734978bcfd5aaf59b63 591804 git-mediawiki_2.1.4-2.1+deb8u6_all.deb 89ef20af4eba40c473e45290ce14177fe25517fc8532d2c5e3144d354cd7075d 577758 git-daemon-run_2.1.4-2.1+deb8u6_all.deb 80a8ab5f5174745690654ea5d26cbc2f2ef2b923b1bac9e34cea8f2774ae56d1 578724 git-daemon-sysvinit_2.1.4-2.1+deb8u6_all.deb 4afbac1a3a27bd7c891b8d161faba8fe13d1f187e6436057027a2865393aa827 595772 git-email_2.1.4-2.1+deb8u6_all.deb f2efb2e64ff4fded8b834933b0ed69ba1acb77b9dacdc61ff3f2f155fbc3147a 767112 git-gui_2.1.4-2.1+deb8u6_all.deb c57edf64b0bd41808b9300af2b78206fe93f8f6af5d7f8e910ff18dd94b8eec4 695764 gitk_2.1.4-2.1+deb8u6_all.deb bcd61bb9bb1d469993e91f56e688fba000b4eb69bdd404ec67686cf3cc9b3d89 580634 gitweb_2.1.4-2.1+deb8u6_all.deb 00d7d43ff7bb204481836a2203fe5d7ecc4172e2bcf5a9ab1639fe5680630c3f 576068 git-all_2.1.4-2.1+deb8u6_all.deb d4f83a457e05747a2385c2b0b113d557ccfeeb74ab623eb97a8fa3941d5ff03b 595716 git-el_2.1.4-2.1+deb8u6_all.deb ac65d3741db47478d8f132826aa4bf72006e31eedda269601567086e033ebd47 1268748 git-man_2.1.4-2.1+deb8u6_all.deb 5cc6076919b007a664091835916242d38aa8a4a91ff2478327ec3a11e56aea72 1506 git-core_2.1.4-2.1+deb8u6_all.deb Files: d8b37d26eb8c900867ba4c949bfe50f4 2846 vcs optional git_2.1.4-2.1+deb8u6.dsc a94cd99c03989617b3ca588d4b811d3f 512872 vcs optional git_2.1.4-2.1+deb8u6.debian.tar.xz 0b87955ff4649283cd9709cce1198b48 3707370 vcs optional git_2.1.4-2.1+deb8u6_amd64.deb 2a91b2efbd56a189eb0cb4e77cf3866a 1410228 doc optional git-doc_2.1.4-2.1+deb8u6_all.deb de223fed6974161fbd59d8dad4fdd992 589468 vcs optional git-arch_2.1.4-2.1+deb8u6_all.deb a6abf6b5b4ac0b87b0d37147e8f1cfff 639114 vcs optional git-cvs_2.1.4-2.1+deb8u6_all.deb c6bd0f7709078b32d6f47fab2f8fe5fb 663158 vcs optional git-svn_2.1.4-2.1+deb8u6_all.deb d4ddda1116f96461b34be884aba89416 591804 vcs optional git-mediawiki_2.1.4-2.1+deb8u6_all.deb 09c69f9a9278bd2b9e05d45a0e39a661 577758 vcs optional git-daemon-run_2.1.4-2.1+deb8u6_all.deb 802fbd17cc329b40acbe47ff5c1083b9 578724 vcs extra git-daemon-sysvinit_2.1.4-2.1+deb8u6_all.deb 7a5f11a9b9a293183dc5e8bcd8164337 595772 vcs optional git-email_2.1.4-2.1+deb8u6_all.deb d7e1c2b252a8c91092599b921c135a5d 767112 vcs optional git-gui_2.1.4-2.1+deb8u6_all.deb c4078022b52d5169d5456a8bd3f488e5 695764 vcs optional gitk_2.1.4-2.1+deb8u6_all.deb 3de350c42369f29f694088b9777b8f46 580634 vcs optional gitweb_2.1.4-2.1+deb8u6_all.deb 2feb0811bea15e916687963e6b81060b 576068 vcs optional git-all_2.1.4-2.1+deb8u6_all.deb 62dcae27d554883964915e12787b8d05 595716 vcs optional git-el_2.1.4-2.1+deb8u6_all.deb 226ea69f8d0739498ce404ea5f5aa5f3 1268748 doc optional git-man_2.1.4-2.1+deb8u6_all.deb 492ab5fe48928f16429659ca6c5057d8 1506 vcs optional git-core_2.1.4-2.1+deb8u6_all.deb -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAlsMpu0THGpybmllZGVy QGdtYWlsLmNvbQAKCRDfxnHuszP6JXqeD/4uHymje2d7SXcErgmoMLLiOfrjszHg p7oKA24yNcMMvscrBnmyCScOk+YnDpWvbjP7+G1epT8+2H67sKmYWIYYqBeIae7q wvE+1d8KSi5DuKyrFK6ljxFhy02OxZKxSK2ClcBHocPTsNkul1pm18/QlDKyIYwy tVxYDxFxshNylL2dXsuYclY8k6gARQ8v7P3hpuY1lOWA1y1okYqpUgFZ9d0xDA2P cW05GYxtzDhxNVcQzk/tEBUL8i8ng95Tb/466z7OyiFfWU7M9RzyXm0pmKrtMxEV hnYvOWQLxIjVRINf6+7THHRWYgf4BCQto4J5ri4epc3VW+TC0ILGCQ8WreeuDAys MpGiP/LhIxfaWKiq5Vkh93RJTVaKh6lSObA5grG6Cki2xM1glmBL9iqpbBgAnsgj 7aU7U4XqDOfvF921Sn8ZZQSKI/cdpVrvwsbBeJKLw9YLfSqPcah6uTezJ8u90apt 9dYb0MntNnybtsU7fv6YOUoB6V0h2anurM4v95Brypc+um/TTMoswbkxSqTLRe8t SmhyJPIf69A5QSN2w4r9D/PzT+TOhIULBUT7zThm+nAXzhZhXcECrd59lGrFA0jT c/Ifd1uDuFK/3nXA4uROcqDp1IKQwj2P6wc4+v0D6GcfN/6pk6pA5Up5+eC+Frkh HVevS8RU2LuSYw== =VYmN -----END PGP SIGNATURE-----