Bug 1583862 (CVE-2018-11235)

Summary: CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository
Product: [Other] Security Response Reporter: Todd Zullinger <tmz>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, adam.kaplan, ahardin, aileenc, alazarot, amahdal, anstephe, besser82, bleanhar, bparees, ccoleman, c.david86, chazlett, chrisw, dbaker, dedgar, dffrench, dmoppert, drieden, drusso, eparis, etirelli, gvarsami, hghasemb, hhorak, ibek, i, icq, jbowes, jcoleman, jechoi, jgoulding, jlee, jmadigan, jokerman, jolee, jorton, jschatte, jshepherd, jstastny, kconner, klaas, krathod, kverlaen, ldimaggi, lgriffin, lpetrovi, mchappel, ngough, nwallace, otheus.uibk, paradhya, pavelp, pcahyna, pstodulk, pszubiak, pwright, rrajasek, rsynek, rwagner, rzhang, sdaley, security-response-team, skisela, sthangav, tcunning, tjay, tkirby, tmz, trankin, trepel, veeti.paananen, vhalbert, walter.pete, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: git 2.13.7, git 2.14.4, git 2.15.2, git 2.16.4, git 2.17.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-10 08:53:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1583877, 1583878, 1584195, 1584196, 1584197, 1584198, 1584505, 1585001, 1595769, 1596744, 1620099, 1620101, 1620102, 1620103, 1620104, 1620105    
Bug Blocks: 1583883    

Description Todd Zullinger 2018-05-29 23:08:10 UTC
A flaw was found in git which allows arbitrary code to be executed when running 'git clone --recurse-submodules` (or the deprecated 'git clone --recursive' synonym).  A malicious repository can include a .gitmodules submodule config file which points outside of the repository.  When git clones such a repository it can be tricked into running hooks within the cloned submodule, which is under the control of the attacker.


Comment 1 Todd Zullinger 2018-05-29 23:12:54 UTC
Updated Fedora builds have been submitted for current releases:

F28: https://bodhi.fedoraproject.org/updates/FEDORA-2018-75f7624a9f
F27: https://bodhi.fedoraproject.org/updates/FEDORA-2018-080a3d7866

Sites hosting git repositories can help mitigate the propagation of this issue to unpatched git clients by enabling 'transfer.fsckObjects'.  (The hosting site should be running a patched git, of course.)

Comment 2 Sam Fowler 2018-05-30 00:17:32 UTC
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1583878]

Comment 4 Jason Shepherd 2018-05-30 06:29:58 UTC
There is a simple way to test if you installation of 'git' is vulnerable:

git init test && \
  cd test && \
  git update-index --add --cacheinfo 120000,e69de29bb2d1d6434b8b29ae775ad8c2e48c5391,.gitmodules

Reference: https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html

Comment 7 Tomas Hoger 2018-05-30 07:03:34 UTC
External References:


Comment 16 Jason Shepherd 2018-05-31 06:34:22 UTC
A user of Openshift Online does not have the ability to add new volumes. Therefore this vulnerability cannot be exploited by a user of Openshift Online by creating a volume from a GitRepo source [1]. The 'source-to-image' functionality in Openshift Online is currently affected.

[1] https://docs.openshift.com/container-platform/3.9/dev_guide/volumes.html#adding-volumes

Comment 23 Jason Shepherd 2018-06-01 06:41:02 UTC
The 'git' binary is not installed in the RHEL Atomic base image, registry.access.redhat.com/rhel7-atomic.

Comment 26 Fedora Update System 2018-06-01 12:04:16 UTC
git-2.17.1-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 33 Otheus 2018-06-20 15:43:10 UTC
Is there someone working on a patch for (RHEL7)?

Comment 34 errata-xmlrpc 2018-06-20 23:05:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1957 https://access.redhat.com/errata/RHSA-2018:1957

Comment 35 Riccardo Schirone 2018-06-27 14:06:43 UTC
Created libgit2 tracking bugs for this issue:

Affects: fedora-all [bug 1595769]

Comment 36 errata-xmlrpc 2018-07-10 08:34:47 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2018:2147 https://access.redhat.com/errata/RHSA-2018:2147

Comment 46 Jason Shepherd 2018-08-22 12:59:24 UTC

Don't create OCP source-to-image applications from source code repositories hosted by untrusted parties. Github is blocking users from pushing repositories with malicious submodules so it's less likely you can pull a malicious repository from there which triggers this vulnerability.

Comment 49 Jason Shepherd 2018-08-27 01:08:25 UTC

This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6 as they did not include the vulnerable code.

If using OCP 3.6 make sure atomic-openshift- or later is installed on the master.

Comment 50 Ben Parees 2018-08-27 01:16:47 UTC
I was wrong, they were not the same package.  The git binary reports the same version, but the package level is different and I guess something was patched between the two.