Bug 1359176

Summary: Git is unable to use HTTP(S)-SSO because of fix for CVE-2011-2192 [scl]
Product: Red Hat Software Collections Reporter: Andreas Bleischwitz <ableisch>
Component: gitAssignee: Petr Stodulka <pstodulk>
Status: CLOSED ERRATA QA Contact: Leos Pol <lpol>
Severity: medium Docs Contact:
Priority: medium    
Version: rh-git29CC: ableisch, ccheney, devel, jorton, kdudka, lpol
Target Milestone: rcKeywords: Reopened
Target Release: 2.3   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: rh-git29-git-2.9.3-1.el6 rh-git29-git-2.9.3-1.el7 Doc Type: Bug Fix
Doc Text:
Cause: Since libcurl v7.21.7 is requested new paramater for delegation of kerberos ticket because of CVE-2011-2192. Git didn't provide any way to setting of that option, so delegation wasn't possible. Consequence: Using of git with HTTP(S) and SSO wasn't possible. Fix: Git provides new configuration variable http.delegation which corresponds to curl parameter "--delegation" (see man 1 curl). User need to set the parameter when delegation of kerberos ticket is required. Result: Git can be used with combination HTTP(S) and SSO again.
 Story Points: ---
Clone Of:
: 1368384 (view as bug list) Environment:
Last Closed: 2016-11-15 10:04:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1369173    

Description Andreas Bleischwitz 2016-07-22 12:41:55 UTC 
Description of problem:
Git in combination of HTTP(s) and SSO using kerberos no longer works when using libcurl > 7.19.7-27.
As libcurl > 7.19.7-27 got a fix to no longer unconditional delegate kerberos tickets to services and Git does not set the required options for libcurl to do so, Git is no longer able to do SSO with HTTP(s) connections.

Version-Release number of selected component (if applicable):
Git: any
libcurl > 7.19.7-27

How reproducible:
Try to checkout a repository using kerberos SSO from a http(s) server.

Steps to Reproduce:
1. Have a HTTP(s) configured and kerberos enabled git-repository
2. get kerberos granting ticket (kinit)
3. try to checkout repository (git clone https://git.example.com/my-repo.git)


Actual results:
Git prompts for a username/password combination

Expected results:
Git does not prompt for username/password and checks out the repository

Additional info:
Comment 1 Andreas Bleischwitz 2016-07-22 12:48:00 UTC 
As curl got an additional option "--delegate" which can be set to "none, policy or always", git also should have such options in the configuration file.

That way we do not introduce another security-flaw which was initially fixed with RHBA-2013-0393.
Comment 7 Petr Stodulka 2016-09-23 15:03:17 UTC 
git19 will be soon on EOL and next git resolves this bug. However, customer will need modify settings because of upstream solution. More precisely, one possible solution which works since git v 2.8.0:

$ export GIT_HTTP_PROXY_AUTHMETHOD="negotiate"
$ git config --global http.emptyAuth true

...
$ git clone .....


Note that this solution will work probably only for git29. Native git* packages in RHEL-6 and RHEL-7 will probably works as before after fix.
Comment 8 Petr Stodulka 2016-09-26 15:03:38 UTC 
Reopen bug again. Previously I tried that reproduce according to information in reproducer. However - reproducer is in this case useless and I don't have any info how can I try exactly reproduce using of delegate.

My solution works becuase I configure git (and git server) to use kerberos authentication and this don't use/need --delegation parameter in any way.
Comment 9 Petr Stodulka 2016-09-26 15:04:12 UTC 
Just append info that comment #7 is deprecated in that case.
Comment 10 Petr Stodulka 2016-09-29 07:34:51 UTC 
Patch is already in upstream for testing. I will backport it when it will be approved.
Comment 11 Kamil Dudka 2016-09-29 07:40:09 UTC 
Please reference the upstream commit or submission if publicly available.
Comment 12 Petr Stodulka 2016-09-29 08:21:42 UTC 
My mistake: I get response that patch will be added to testing branch in upstream. But it is not merged yet. Final patch which should be added in upstream for testing is here:
http://www.spinics.net/lists/git/msg287130.html
Comment 15 Petr Stodulka 2016-10-10 12:14:41 UTC 
git19 will be soon EOL. But this bug could be fixed in rh-git29. My patch is finally part of upstream, so I am going to prepare patch.
Comment 29 errata-xmlrpc 2016-11-15 10:04:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2728.html
Comment 30 Marcus Sundberg 2017-06-09 16:01:38 UTC 
Note that a workaround that works fine at least with
git-1.7.1-4.el6_7.1.x86_64 and git-1.8.3.1-6.el7_2.1.x86_64
is to replace:
git clone https://git.example.com/my-repo.git
with:
git clone https://:@git.example.com/my-repo.git

May be useful for people finding this bug until RHEL 7.4 is released.