Re: CVE-2022-24975 - Junio C Hamano

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Junio C Hamano <gitster@pobox.com>
To: Mark Esler <mark.esler@canonical.com>
Cc: git@vger.kernel.org
Subject: Re: CVE-2022-24975
Date: Wed, 01 Jun 2022 14:12:43 -0700	[thread overview]
Message-ID: <xmqq4k14qe9g.fsf@gitster.g> (raw)
In-Reply-To: <CAJ=HsVKX-NXePKU1G0UKRcFT5He8AjS_TQEirb3hN3chGFz9TA@mail.gmail.com> (Mark Esler's message of "Wed, 1 Jun 2022 15:55:09 -0500")

Mark Esler <mark.esler@canonical.com> writes:

> Hello,
>
> Could the git developers state their position on CVE-2022-24975? Is it
> disputed or will it be addressed by upstream?
>
> As I read the documentation, --mirror is working as stated and MITRE
> should remove the CVE.
>
> Thank you,
> Mark Esler

It took me a while to Google for "gitbleed" as I got tons of GI
bleed but no Gitbleed, so a quick conclusion is there is no such
credible thing called gitbleed ;-)

Jokes aside (yes, I know about [*]).

As you said, "A repository can have more than what branch heads and
tags can reach, and the --mirror option is a way to copy all the
things that are reachable from other refs.  It is 100% working as
intended."

During the discussion about [*] on git-security@ mailing lsit,
everybody said that it is dubious that CVE is warranted.  I am not
sure there is anything more for us to do.

[Reference]

* https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/

  the author of which asked git-security@ list and after getting
  things explained, accepted that this is a "working as intended"
  functionality and promised to adjust the blog post entry not to
  imply that the entire repository can be copied.  I do not know how
  much correction was actually made since then, though.

next prev parent reply	other threads:[~2022-06-01 21:12 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-01 20:55 CVE-2022-24975 Mark Esler
2022-06-01 21:12 ` Junio C Hamano [this message]
2022-06-01 21:40   ` CVE-2022-24975 Mark Esler
2022-06-06 15:11   ` CVE-2022-24975 Dyer, Edwin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=xmqq4k14qe9g.fsf@gitster.g \
    --to=gitster@pobox.com \
    --cc=git@vger.kernel.org \
    --cc=mark.esler@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.