Bug 1450407 (CVE-2017-8386)

Summary: CVE-2017-8386 git: Escape out of git-shell
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amahdal, besser82, ccoleman, c.david86, chrisw, dedgar, dmcphers, hhorak, james.hogarth, jbowes, jgoulding, joelsmith, jorton, pstodulk, tmz
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git 2.4.12, git 2.5.6, git 2.6.7, git 2.7.5, git 2.8.5, git 2.9.4, git 2.10.3, git 2.11.2, git 2.12.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote, authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:12:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1450409, 1450410, 1450799, 1451691, 1480504, 1480505    
Bug Blocks: 1415638, 1450411    

Description Andrej Nemec 2017-05-12 12:43:44 UTC 
A vulnerability was found in git concerning the git shell. A user who comes over SSH could run an interactive pager by causing it to spawn "git upload-pack --help".

"git-shell" is a restricted login shell that can be used on a server to prevent SSH clients from running any programs except those needed for git fetches and pushes. If you are not running a server, or if your server has not been explicitly configured to use git-shell as a login shell, you are not affected.

Upstream patch:

https://kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5

References:

https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/
http://public-inbox.org/git/xmqq8tm5ziat.fsf@gitster.mtv.corp.google.com/
Comment 1 Andrej Nemec 2017-05-12 12:44:36 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1450409]
Affects: openshift-1 [bug 1450410]
Comment 5 errata-xmlrpc 2017-08-01 20:52:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2004 https://access.redhat.com/errata/RHSA-2017:2004
Comment 7 errata-xmlrpc 2017-08-17 21:56:48 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2017:2491 https://access.redhat.com/errata/RHSA-2017:2491