Bug 208074

Summary: devel/git - CVE-2016-2315 & CVE-2016-2324
Product: Ports & Packages Reporter: Sevan Janiyan <venture37>
Component: Individual Port(s)Assignee: Renato Botelho <garga>
Status: Closed FIXED    
Severity: Affects Many People CC: feld, junovitch, ports-secteam
Priority: --- Keywords: needs-patch, needs-qa, security
Version: LatestFlags: bugzilla: maintainer-feedback? (garga)
garga: merge-quarterly?
Hardware: Any   
OS: Any   

Description Sevan Janiyan 2016-03-16 22:36:30 UTC
Missing vuxml entries for these 2 CVEs
CVE-2016-2324 is not fixed yet in any release but a fix has been committed to the repo
https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d 

http://seclists.org/oss-sec/2016/q1/645
https://security-tracker.debian.org/tracker/CVE-2016-2315
https://security-tracker.debian.org/tracker/CVE-2016-2324
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-03-17 02:46:09 UTC
A commit references this bug:

Author: junovitch
Date: Thu Mar 17 02:45:35 UTC 2016
New revision: 411251
URL: https://svnweb.freebsd.org/changeset/ports/411251

Log:
  Document possible code execution and integer overflow issue in git

  PR:		208074
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk> (via PR)
  Reported by:	Tony Tung <tonytung@merly.org> (via email)
  Security:	CVE-2016-2315
  Security:	CVE-2016-2324
  Security:	https://vuxml.FreeBSD.org/freebsd/93ee802e-ebde-11e5-92ce-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/d2a84feb-ebe0-11e5-92ce-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 commit-hook freebsd_committer freebsd_triage 2016-03-17 02:46:13 UTC
A commit references this bug:

Author: junovitch
Date: Thu Mar 17 02:45:54 UTC 2016
New revision: 411252
URL: https://svnweb.freebsd.org/changeset/ports/411252

Log:
  MFH: r405346, r408063, r409422, r409430

  r405346:
  Update devel/git to 2.7.0

  r408063:
  Lighten up the Perl dependencies.

  git uses Perl for two things: Perl hooks into git, and the
  git-send-email(1) script.

  The Perl hooks only use p5-Error. The other modules dependencies,
  p5-Authen-SASL and p5-Net-SMTP-SSL (which bring in a number of other
  perl module dependencies) are only required for git-send-email(1).

  This commit adds a SEND_EMAIL option, defaulted to on, that auto-enables
  the PERL option and installs the git-send-email(1) script with the
  extra perl modules.

  With the PERL option on and SEND_EMAIL off, only the p5-Error module
  is required.

  No PORTREVISION bump as the default dependencies and plist haven't changed.

  PR:		206901
  Approved by:	garga (maintainer)
  Differential Revision:	https://reviews.freebsd.org/D5179

  r409422:
  Update devel/git to 2.7.2

  r409430:
  Fix plist with NLS on after r409422.

  PR:		208074
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk> (via PR)
  Reported by:	Tony Tung <tonytung@merly.org> (via email)
  Security:	CVE-2016-2315
  Security:	https://vuxml.FreeBSD.org/freebsd/93ee802e-ebde-11e5-92ce-002590263bf5.html
  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q1/
  branches/2016Q1/devel/git/Makefile
  branches/2016Q1/devel/git/distinfo
  branches/2016Q1/devel/git/pkg-plist
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2016-03-17 02:50:28 UTC
It looks like for CVE-2016-2324 they just merged a variant of the referenced commit to the maint branch (https://github.com/git/git/commit/d79db92483f78f0a750b6093432374fa1069b2ba).  I'm thinking that means we'll see a 2.7.4 soon with that resolved.  Let's get that into ports when it happens.

In the meantime the current devel/git work has all been merged over to quarterly to at least resolve CVE-2016-2315 and both issues have been documented.
Comment 4 Renato Botelho freebsd_committer freebsd_triage 2016-03-18 12:14:29 UTC
I've updated package information on vuxml and updated git to 2.7.4. Just waiting the approval to get it merged into quarterly.
Comment 5 Mark Felder freebsd_committer freebsd_triage 2016-03-18 12:16:00 UTC
(In reply to Renato Botelho from comment #4)

I have not yet seen the request for the git MFH to quarterly, but I approve it.
Comment 6 Renato Botelho freebsd_committer freebsd_triage 2016-03-18 12:47:42 UTC
2.7.4 is updated on quarterly now. Thanks!