Bug 1269794 (CVE-2015-7545)
Summary: | CVE-2015-7545 git: arbitrary code execution via crafted URLs | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carnil, ccoleman, chrisw, dmcphers, jbowes, jialiu, joelsmith, jokajak, jokerman, jorton, jrusnack, kseifried, lmeyer, mmaslano, mmccomas, pstodulk, tmz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | git 2.6.1, git 2.3.10 | Doc Type: | Bug Fix |
Doc Text: |
A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-12-09 20:35:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1269797, 1269798, 1273889, 1273890, 1274737 | ||
Bug Blocks: | 1269795 |
Description
Martin Prpič
2015-10-08 08:53:43 UTC
Created git tracking bugs for this issue: Affects: fedora-all [bug 1269797] Affects: epel-5 [bug 1269798] Blake Burkhart on oss-security: " Arbitrary shell command execution from .gitmodules: Git allows executing arbitrary shell commands using git-remote-ext via a remote URLs. Normally git never requests URLs that the user doesn't specifically request, so this is not a serious security concern. However, submodules did allow the remote repository to specify what URL to clone from. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories. a5adace and 33cfccb fixed this behavior by introducing a whitelist of allowed protocols for all git submodule operations. " Analysis: From `man git-remote-ext`: "This remote helper is transparently used by Git when you use commands such as "git fetch <URL>", "git clone <URL>", , "git push <URL>" or "git remote add <nick> <URL>", where <URL> begins with ext::. " So given a URL in format "ext::<command>[ <arguments>...]", this helper uses specified <command> to connect to a remote Git server. This was not filtered, so arbitrary command injected here leads to command execution. In order to be vulnerable, victim needs to fetch the data from attacker supplied URL without noticing. One such attack is described above. Mitigation: Avoid recursive cloning or updating of git submodules without checking the submodule URL. Non-recursive cloning is the default in git, so user needs to change this to become vulnerable ("e.g. by specifying --recursive"). git-2.5.0-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. git-2.4.3-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Via RHSA-2015:2515 https://rhn.redhat.com/errata/RHSA-2015-2515.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2561 https://rhn.redhat.com/errata/RHSA-2015-2561.html git-1.8.2.1-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |