Re: git CVE-2024-32004 & CVE-2024-32020

To: debian-lts@lists.debian.org
Subject: Re: git CVE-2024-32004 & CVE-2024-32020
From: Roberto C. Sánchez <roberto@debian.org>
Date: Fri, 31 May 2024 10:41:40 -0400
Message-id: <[🔎] ZlnhpD0igkzjkkSN@localhost>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 87mso6qdow.fsf@zephyr.silentflame.com>
References: <[🔎] 87mso6qdow.fsf@zephyr.silentflame.com>

Hi Sean,

On Fri, May 31, 2024 at 03:05:35PM +0100, Sean Whitton wrote:
> Hello,
> 
> Upstream's patches for these CVEs involve making it a lot fiddlier to
> use shared repositories where write access is managed using Unix
> permissions, rather than by using SSH identities.
> And indeed someone has reported a case of this a few days ago:
>   <https://lore.kernel.org/git/924426.1716570031@dash.ant.isi.edu/T/#u>.
> 

I actually was bitten by this exact issue yesterday after an update to a
server running Ubuntu 22.

The really annoying thing is that the work-around of setting
safe.directory has to be done on the server side. In the case of a
server which uses system users but which does not permit shell log in,
it would not even be possible for an affected user to set the
configuration, unless an administrator sets it per-user or system-wide.

It took several hours of troubleshooting to figure this out, as all of
the discussions that came up regarding the "dubious permissions" error
related to a CVE from 2022 and simply said to set safe.directory
(implying that it was a client-side setting).

> I think that this regression would be significant enough in an LTS
> context -- it's an older way of doing git repository hosting -- that we
> should leave these two CVEs unpatched for now.
> 
I concur that the hassle which will almost certainly ensue from patching
these CVEs would outweigh any potential benefit. Especially since
depending on the specifics of the environment into which an update
containing these patches is deployed, it may actually bring a
development team's work entirely to a halt.

We have reverted patches for lesser impacts, so it seems prudent to not
deploy them in the first place for these two CVEs.

> I also note: the commit message for the fix for CVE-2024-32465 says that
> it renders the fix for CVE-2024-32004 "somewhat redundant".
> My understanding of the situation is that the fix for CVE-2024-32465
> does fix the issue strictly designated by CVE-2024-32004, and without
> the sort of usability regression linked above.
> 
> Could someone review this assessment, please?
> 
I haven't assessed this, but I will and then I will reply to this thread
again with my assessment.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: git CVE-2024-32004 & CVE-2024-32020
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: git CVE-2024-32004 & CVE-2024-32020
  - From: Santiago Ruano Rincón <santiago@freexian.com>

References:
- git CVE-2024-32004 & CVE-2024-32020
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: git CVE-2024-32004 & CVE-2024-32020
Next by Date: Re: git CVE-2024-32004 & CVE-2024-32020
Previous by thread: git CVE-2024-32004 & CVE-2024-32020
Next by thread: Re: git CVE-2024-32004 & CVE-2024-32020
Index(es):
- Date
- Thread