Skip to content

Fixes for CVE 2022-29187#6349

Merged
ethomson merged 2 commits into
mainfrom
ethomson/cve-2022-29187
Jul 12, 2022
Merged

Fixes for CVE 2022-29187#6349
ethomson merged 2 commits into
mainfrom
ethomson/cve-2022-29187

Conversation

@ethomson
Copy link
Copy Markdown
Member

@ethomson ethomson commented Jul 12, 2022
edited
Loading

Forward porting the v1.3.2 / v1.4.4 fixes for CVE 2022-29187.

  • A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in sudo.

  • A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using runas Administrator).

ethomson added 2 commits July 12, 2022 14:12
@ethomson
repo: validate gitdir and gitlink ownership
af9e003 
To match git's behavior with CVE 2022-29187, validate not only the
working directory, but also the gitdir and gitlink (if it exists). This
a follow up to CVE-2022-24765 that was fixed earlier.
@ethomson
repo: allow users running with sudo to access their repositories
ed24b8b 
In the ownership checks implemented for CVE-2022-24765, we disallowed
users to access their own repositories when running with `sudo`.

Examine the `SUDO_UID` environment variable and allow users running
with `sudo`. This matches git's behavior.
@ethomson ethomson merged commit 4ae8704 into main Jul 12, 2022
@ethomson ethomson deleted the ethomson/cve-2022-29187 branch July 12, 2022 18:42
@csware csware mentioned this pull request Feb 7, 2023
Closed
@jeroen jeroen mentioned this pull request Jul 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ethomson