Re: git CVE-2024-32004 & CVE-2024-32020
On Fri, May 31, 2024 at 10:41:44AM -0400, Roberto C. Sánchez wrote:
> On Fri, May 31, 2024 at 03:05:35PM +0100, Sean Whitton wrote:
>
> > I also note: the commit message for the fix for CVE-2024-32465 says that
> > it renders the fix for CVE-2024-32004 "somewhat redundant".
> > My understanding of the situation is that the fix for CVE-2024-32465
> > does fix the issue strictly designated by CVE-2024-32004, and without
> > the sort of usability regression linked above.
> >
> > Could someone review this assessment, please?
> >
> I haven't assessed this, but I will and then I will reply to this thread
> again with my assessment.
>
So, I have read the two commit messages (f4aa8c8bb1 and 7b70e9efb1), but
I have not read the actual code changes.
It looks to me like the way to confirm your assessment is to take
t/t0411-clone-from-partial.sh from the first commit and backport just
that part. It should result in new test failures. Then backport the
second commit (which fixes CVE-2024-32465 and is somewhat redundant with
the first commit) and confirm that the test changes which produced the
new test failures are all passing again.
Also, given the potential usability regression reported upstream, it
would certainly be wise to manually test that a shared repository can be
cloned without requiring the configuration change on the server side.
This testing should include 3 scenarios: one with the patch applied only
on the server side, another with the patch applied only on the client
side, and finally one with the patch applied on both sides.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: