GLSA-202401-17 : libgit2: Privilege Escalation Vulnerability

high Nessus Plugin ID 188043

Description

The remote host is affected by the vulnerability described in GLSA-202401-17 (libgit2: Privilege Escalation Vulnerability)

- Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks. (CVE-2022-29187)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

All libgit2 users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose >=dev-libs/libgit2-1.4.4

See Also

https://security.gentoo.org/glsa/202401-17

https://bugs.gentoo.org/show_bug.cgi?id=857792

Plugin Details

Severity: High

ID: 188043

File Name: gentoo_GLSA-202401-17.nasl

Version: 1.0

Type: local

Published: 1/14/2024

Updated: 1/14/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-29187

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:libgit2, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Ease: No known exploits are available

Patch Publication Date: 1/14/2024

Vulnerability Publication Date: 7/12/2022

Reference Information

CVE: CVE-2022-29187