Bug 1434415 (CVE-2014-9938)

Summary: CVE-2014-9938 git: git-prompt.sh does not sanitize branch names in $PS1
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amahdal, besser82, ccoleman, c.david86, chrisw, dedgar, dmcphers, hhorak, jbowes, jgoulding, joelsmith, jorton, pstodulk, tmz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git 1.9.3 Doc Type: If docs needed, set a value
Doc Text:
It was found that the git-prompt.sh script shipped with git failed to correctly handle branch names containing special characters. A specially crafted git repository could use this flaw to execute arbitrary commands if a user working with the repository configured their shell to include repository information in the prompt.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 20:57:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1434438, 1434439, 1434440, 1435009    
Bug Blocks: 1434417    

Description Adam Mariš 2017-03-21 13:14:46 UTC 
contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.

Upstream patch:

https://github.com/git/git/commit/8976500cbbb13270398d3b3e07a17b8cc7bff43f

PoC repository:

https://github.com/njhartwell/pw3nage
Comment 1 Adam Mariš 2017-03-21 14:01:23 UTC 
Created git tracking bugs for this issue:

Affects: epel-5 [bug 1434439]
Affects: fedora-24 [bug 1434438]
Affects: openshift-1 [bug 1434440]
Comment 2 Tomas Hoger 2017-03-22 14:38:27 UTC 
Note that there are two ways to use git-prompt.sh to add info to the shell prompt.  These methods are documented at the top of the git-prompt.sh file:

#    3a) Change your PS1 to call __git_ps1 as
#        command-substitution:
#        Bash: PS1='[\u@\h \W$(__git_ps1 " (%s)")]\$ '
#        ZSH:  setopt PROMPT_SUBST ; PS1='[%n@%m %c$(__git_ps1 " (%s)")]\$ '
#        the optional argument will be used as format string.
#    3b) Alternatively, for a slightly faster prompt, __git_ps1 can
#        be used for PROMPT_COMMAND in Bash or for precmd() in Zsh
#        with two parameters, <pre> and <post>, which are strings
#        you would put in $PS1 before and after the status string
#        generated by the git-prompt machinery.  e.g.
#        Bash: PROMPT_COMMAND='__git_ps1 "\u@\h:\w" "\\\$ "'
#          will show username, at-sign, host, colon, cwd, then
#          various status string, followed by dollar and SP, as
#          your prompt.
#        ZSH:  precmd () { __git_ps1 "%n" ":%~$ " "|%s" }
#          will show username, pipe, then various status string,
#          followed by colon, cwd, dollar and SP, as your prompt.
#        Optionally, you can supply a third argument with a printf
#        format string to finetune the output of the branch status

This issue only affected uses with __git_ps1 used in the PROMPT_COMMAND (i.e. the 3b) configurations), it did not affect uses with __git_ps1 in PS1 (i.e. the 3a) configurations).

The support for using __git_ps1 in PROMPT_COMMAND was added in git version 1.8.1 via this commit:

https://github.com/git/git/commit/1bfc51ac814125de03ddf1900245e42d6ce0d250

Therefore, git 1.7.1 as shipped with Red Hat Enterprise Linux 6 was not affected.
Comment 5 errata-xmlrpc 2017-08-01 20:52:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2004 https://access.redhat.com/errata/RHSA-2017:2004