Ubuntu
git package

CVE-2022-24765 and safe.directory settings

Asked by Gerrit Venema

Is Ubuntu security updates going to incorporate the changes in https://github.com/gitgitgadget/git/pull/1215?

The security fix delivered in https://ubuntu.com/security/notices/USN-5376-1 was a major breaking change. This was not acknowledged in the security notice.

The fix in this USN is very broad and will break containers and deployment scripts also in environments that are tightly controlled but use git commands on directories that have ownership different from the executing effective id of those scripts. The safe.directory settings also doesn't provide any globbing options and requires also including explicitly any nested directories below a safe directory. This will require complete reworkings of deployments and containers.

The update published by git itself only days after the first update will at least allow administrators to disable the check . Also it corrects an error where directories set in other sections of the config could actually be interpreted as safe directories.

https://github.com/gitgitgadget/git/pull/1215
https://github.com/git/git/blob/v2.30.4/Documentation/RelNotes/2.30.4.txt

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu git Edit question
Assignee:
No assignee Edit question
Solved by:
Gerrit Venema
Solved:
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said (last edit ): 		#1

That is a medium priority CVE fix was released.
https://ubuntu.com/security/cve-2022-24765
Update you system using the provided fixes:
https://ubuntu.com/security/notices/USN-5376-1
What is the question from above?

Revision history for this message
Gerrit Venema (gmoniker) said : 		#2

@bernard010

The question is whether the fix on the fix is going to be delivered in the security channel (or maybe in updates)?

The fix as delivered in USN-5376-1 is with a failing check on the correct config section and requires explicitly listing each and every git directory on the whole system if not used with the same effective owner as the filesystem owner. This is going to cause large breakage of deployments and maintenance scripts that use git.

So will the changes from https://github.com/gitgitgadget/git/pull/1215 be delivered also? They are published from 2.30.4 upwards.

Revision history for this message
Bernard Stafford (bernard010) said (last edit ): 		#3

Both a fix and through security updates.
I do not know how GET gets their security up dates out.
Most likely through your regular security updates is how Ubuntu handles them.
That way everyone is covered on security updates.
Perhaps git will write code so scripts do not break anything.

Revision history for this message
Gerrit Venema (gmoniker) said : 		#4

This was eventually solved in https://bugs.launchpad.net/ubuntu/+source/git/+bug/1970260