GNU bug report logs - #55001
[PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].

Previous Next

Package: guix-patches;

Reported by: Zhu Zihao <all_but_last <at> 163.com>

Date: Mon, 18 Apr 2022 13:44:01 UTC

Severity: normal

Tags: patch

Done: Mathieu Othacehe <othacehe <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #20 received at 55001 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Zhu Zihao <all_but_last <at> 163.com>, Greg Hogan <code <at> greghogan.com>
Cc: 55001 <at> debbugs.gnu.org
Subject: Re: [bug#55001] [PATCH] gnu: git: Update to 2.35.2 [fixes
 CVE-2022-24765].
Date: Mon, 18 Apr 2022 20:03:16 +0200

[Message part 1 (text/plain, inline)]

Zhu Zihao schreef op di 19-04-2022 om 00:02 [+0800]:
> 
> Hi.
> 
> https://www.phoronix.com/scan.php?page=news_item&px=Git-CVE-2022-24765
> 
> This article says "likely due to only affect Microsoft Windows". I
> haven't test this CVE on *nix systems.
> 
> If it doesn't affect Guix systems, should I remove "[fixes
> CVE-2022-24765]" in the git commit message or leave it there?

According to <https://lwn.net/Articles/891112/#Comments> and its
comments, it affects ‘multi-user (*) Linux (**) systems’ as well, if
someone has their git repo inside /tmp.  (Does anyone actually do
that?)

(*) I would think this includes otherwise single-user systems with a
compromised daemon as well?  
(**) Presumably also GNU/Hurd and the BSDs.

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]

This bug report was last modified 3 years and 28 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #55001 [PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].

GNU bug report logs - #55001
[PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765].