1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202401-17 ] libgit2: Privilege Escalation Vuln

    From glsamaker@gentoo.org@21:1/5 to All on Sun Jan 14 10:20:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202401-17
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: libgit2: Privilege Escalation Vulnerability
    Date: January 14, 2024
    Bugs: #857792
    ID: 202401-17

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been found in libgit2 which could result in
    privilege escalation.

    Background
    ==========

    libgit2 is a portable, pure C implementation of the Git core methods
    provided as a re-entrant linkable library with a solid API.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ---------------- ------------ ------------
    dev-libs/libgit2 < 1.4.4 >= 1.4.4

    Description
    ===========

    A vulnerability has been discovered in libgit2. Please review the CVE identifier referenced below for details.

    Impact
    ======

    Usages of a malicious crafted Git repository could allow the creator of
    the repository to elevate privileges to those of the user accessing the repository.

    Workaround
    ==========

    Administrators can ensure that their usages of libgit2 only interact
    with repositories which have only been modified by trusted users.

    Resolution
    ==========

    All libgit2 users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-libs/libgit2-1.4.4"

    References
    ==========

    [ 1 ] CVE-2022-29187
    https://nvd.nist.gov/vuln/detail/CVE-2022-29187

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202401-17

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmWjpiMACgkQFMQkOaVy +9mvsw/8DZX90Wvyz7+mulkZSa+XDJFvrCH0tjfxR7Lcx3yFrhzAFQJ0PQ/ji+5L T2/CPCpjWbe0FZFTWMc/EFLxOM529QA7B35vvSEOQV5ozTobAUJHdaIjAGC/ibOj RqN5vgxzNETRRhGD/Dzrgakme5OSMWSlLJZrSldLb0NoaFkVM3+AFsE+IbWb0dxo +Sd0JWxhrs+MR0pxGdW1VHMOs+jn4YEnYOUhspV9MWIrrbACzfOwlFYeYka2U7la 8PH5gIS1pYz03s4sb0UFjekBXzSm/Cn9p/Wze1ijEx39UpOR8kHBteO95ll1NUPJ 97voSphHZNOiGcs6SkJFa0fHsU3XLZ8J+XWZPj8Ej1h8acuK8sVCB+BPsouHRlz7 6/UZbnoDlVFg94BKlRGzX5Ug97RK0B2vd02YnR0D7E9UQF40ieYf62Mb1UEodmo3 eAaLHsYl2ufuAs1mC35AddFzPuq3rUf98qI+iZ13tUXtYB2cub4Eb9nk0jjv0z9W /DHzwOAzuFw/ByDCblmQgnGz02YNYBj6WZkoIRP7gRfAv2G2pTuVFFz5H+YFnclj TPyik1R1MPKqfcy9Zr1abXkxVzs/kCbckrYoETaKNfGzYQC2usGBNpthVC/Uo09Z ySeaGE6iCLe0j3naZbkIhtq7d3DhC1pIlv4RnlvScgF8x9f9N98=
    =w9V4
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)