*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
The recent backport of the security fix for CVE-2022-24765 does not
contain enough of the upstream fix for the issue. Specifically, it does
not contain a subsequent commit that corrects the omission of checking
the key name when searching the config file for safe directories.
In the implementation backported to Ubuntu, the config file parser does
not check the name of the key when scanning key/value pairs for
directories that should be considered as safe. As such, any key whose
value looks like a directory name will cause that directory to be
treated as safe. (i.e. "foo.bar = /path/to/something" is functionally
equivalent to "safe.directory = /path/to/something")
Upstream commit bb50ec3cc300eeff3aba7a2bea145aabdb477d31 which fixes the
issue is attached as a patch.
** Affects: git (Ubuntu)
Importance: Undecided
Status: Fix Released
--
SECURITY: safe.directory backport doesn't check key name
https://bugs.launchpad.net/bugs/1970260
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
