Bug 1269794 (CVE-2015-7545)

Summary: CVE-2015-7545 git: arbitrary code execution via crafted URLs
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, ccoleman, chrisw, dmcphers, jbowes, jialiu, joelsmith, jokajak, jokerman, jorton, jrusnack, kseifried, lmeyer, mmaslano, mmccomas, pstodulk, tmz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git 2.6.1, git 2.3.10 Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-09 20:35:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1269797, 1269798, 1273889, 1273890, 1274737    
Bug Blocks: 1269795    

Description Martin Prpič 2015-10-08 08:53:43 UTC 
The following issue was fixed in Git version 2.6.1:

* Some protocols (like git-remote-ext) can execute arbitrary code found in the URL. The URLs that submodules use may come from arbitrary sources (e.g., .gitmodules files in a remote repository), and can hurt those who blindly enable recursive fetch. Restrict the allowed protocols to well known and safe ones.

Upstream patches:

https://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/

CVE request:

http://seclists.org/oss-sec/2015/q4/37
Comment 1 Martin Prpič 2015-10-08 08:56:06 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1269797]
Affects: epel-5 [bug 1269798]
Comment 3 Ján Rusnačko 2015-10-14 15:16:38 UTC 
Blake Burkhart on oss-security:

"
Arbitrary shell command execution from .gitmodules:

Git allows executing arbitrary shell commands using git-remote-ext via a
remote URLs. Normally git never requests URLs that the user doesn't
specifically request, so this is not a serious security concern. However,
submodules did allow the remote repository to specify what URL to clone
from.

If an attacker can instruct a user to run a recursive clone from a
repository they control, they can get a client to run an arbitrary shell
command. Alternately, if an attacker can MITM an unencrypted git clone,
they could exploit this. The ext command will be run if the repository is
recursively cloned or if submodules are updated. This attack works when
cloning both local and remote repositories.

a5adace and 33cfccb fixed this behavior by introducing a whitelist of
allowed protocols for all git submodule operations.
"

Analysis:
From `man git-remote-ext`:

  "This remote helper is transparently used by Git when you use commands such as "git fetch <URL>", "git clone <URL>", , "git push <URL>" or "git remote add <nick> <URL>", where <URL> begins with ext::. "

So given a URL in format "ext::<command>[ <arguments>...]", this helper uses specified <command> to connect to a remote Git server.

This was not filtered, so arbitrary command injected here leads to command execution.

In order to be vulnerable, victim needs to fetch the data from attacker supplied URL without noticing. One such attack is described above.

Mitigation:

Avoid recursive cloning or updating of git submodules without checking the submodule URL. Non-recursive cloning is the default in git, so user needs to change this to become vulnerable ("e.g. by specifying --recursive").
Comment 6 Fedora Update System 2015-11-02 18:51:40 UTC 
git-2.5.0-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-11-08 09:49:02 UTC 
git-2.4.3-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 errata-xmlrpc 2015-11-25 17:18:40 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2015:2515 https://rhn.redhat.com/errata/RHSA-2015-2515.html
Comment 9 errata-xmlrpc 2015-12-08 10:28:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2561 https://rhn.redhat.com/errata/RHSA-2015-2561.html
Comment 10 Fedora Update System 2016-01-02 19:53:17 UTC 
git-1.8.2.1-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.