Bug 1636619 (CVE-2018-17456)

Summary: CVE-2018-17456 git: arbitrary code execution via .gitmodules
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, a.dekker, amahdal, besser82, bparees, cbyrne, c.david86, chrisw, cmacedo, dbaker, dffrench, drusso, hhorak, i, icq, jmadigan, jokerman, jorton, jshepherd, lgriffin, mplch, ngough, nmurray, opohorel, pcahyna, pgozart, pstodulk, pwright, rschiron, sfowler, sthangav, tmz, trankin, trepel, veeti.paananen, walter.pete, yozone
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git 2.14.5, git 2.15.3, git 2.16.5, git 2.17.2, git 2.18.1, git 2.19.1 Doc Type: If docs needed, set a value
Doc Text:
An option injection flaw has been discovered in git when it recursively clones a repository with sub-modules. A remote attacker may configure a malicious repository and trick a user into recursively cloning it, thus executing arbitrary commands on the victim's machine.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:39:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1636620, 1636621, 1636622, 1638265, 1638266, 1638269, 1638270, 1638271, 1638275, 1785230    
Bug Blocks: 1636623    

Description Laura Pardo 2018-10-05 21:44:24 UTC 
A flaw was found in git which allows an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with --recurse-submodules.


References:
https://bugzilla.novell.com/show_bug.cgi?id=1110949
https://groups.google.com/forum/#!topic/git-packagers/fNLXf6LQC08
Comment 1 Laura Pardo 2018-10-05 21:44:54 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1636620]


Created libgit2 tracking bugs for this issue:

Affects: fedora-all [bug 1636621]
Comment 3 Jason Shepherd 2018-10-07 23:44:27 UTC 
The relevant upstream commits which fix the issue:
https://github.com/git/git/commit/98afac7a7cefdca0d2c4917dd8066a59f7088265
https://github.com/git/git/commit/f6adec4e329ef0e25e14c63b735a5956dc67b8bc
https://github.com/git/git/commit/273c61496f88c6495b886acb1041fe57965151da

For the fsck check:
https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
Comment 5 Jason Shepherd 2018-10-08 06:15:58 UTC 
Statement:

OpenShift Container Platform (OCP) source-to-image uses the git client packaged with the OCP container images. Since RHEL7 and its associated images are impacted, source-to-image is also impacted. The atomic-openshift package running on the masters controls the code that determines the source-to-image build image in use, therefore a cluster update is required to patch this issue. Full instructions will be provided in Security Errata provided for this issue.

In OCP 3.6 and earlier, source-to-image executes in a privileged container on the node. Therefore the severity of this CVE is important for these versions. OCP 3.7 and later execute source-to-image git pulls in an unprivileged init container.
Comment 9 Riccardo Schirone 2018-10-10 09:13:24 UTC 
git does not properly pass the `url` and `path` fields of a submodule to the git-clone command, when recursively cloning a repository with git sub-modules. If the `url` field begins with a `-`(dash) this is going to be interpreted as an option.
Comment 17 errata-xmlrpc 2018-10-30 16:58:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3408 https://access.redhat.com/errata/RHSA-2018:3408
Comment 18 errata-xmlrpc 2018-11-12 11:23:11 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3541 https://access.redhat.com/errata/RHSA-2018:3541
Comment 30 errata-xmlrpc 2020-02-03 09:10:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0316 https://access.redhat.com/errata/RHSA-2020:0316