Bug 1636619 (CVE-2018-17456)
Summary: | CVE-2018-17456 git: arbitrary code execution via .gitmodules | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abhgupta, a.dekker, amahdal, besser82, bparees, cbyrne, c.david86, chrisw, cmacedo, dbaker, dffrench, drusso, hhorak, i, icq, jmadigan, jokerman, jorton, jshepherd, lgriffin, mplch, ngough, nmurray, opohorel, pcahyna, pgozart, pstodulk, pwright, rschiron, sfowler, sthangav, tmz, trankin, trepel, veeti.paananen, walter.pete, yozone |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | git 2.14.5, git 2.15.3, git 2.16.5, git 2.17.2, git 2.18.1, git 2.19.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
An option injection flaw has been discovered in git when it recursively clones a repository with sub-modules. A remote attacker may configure a malicious repository and trick a user into recursively cloning it, thus executing arbitrary commands on the victim's machine.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:39:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1636620, 1636621, 1636622, 1638265, 1638266, 1638269, 1638270, 1638271, 1638275, 1785230 | ||
Bug Blocks: | 1636623 |
Description
Laura Pardo
2018-10-05 21:44:24 UTC
Created git tracking bugs for this issue: Affects: fedora-all [bug 1636620] Created libgit2 tracking bugs for this issue: Affects: fedora-all [bug 1636621] The relevant upstream commits which fix the issue: https://github.com/git/git/commit/98afac7a7cefdca0d2c4917dd8066a59f7088265 https://github.com/git/git/commit/f6adec4e329ef0e25e14c63b735a5956dc67b8bc https://github.com/git/git/commit/273c61496f88c6495b886acb1041fe57965151da For the fsck check: https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46 https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404 Statement: OpenShift Container Platform (OCP) source-to-image uses the git client packaged with the OCP container images. Since RHEL7 and its associated images are impacted, source-to-image is also impacted. The atomic-openshift package running on the masters controls the code that determines the source-to-image build image in use, therefore a cluster update is required to patch this issue. Full instructions will be provided in Security Errata provided for this issue. In OCP 3.6 and earlier, source-to-image executes in a privileged container on the node. Therefore the severity of this CVE is important for these versions. OCP 3.7 and later execute source-to-image git pulls in an unprivileged init container. git does not properly pass the `url` and `path` fields of a submodule to the git-clone command, when recursively cloning a repository with git sub-modules. If the `url` field begins with a `-`(dash) this is going to be interpreted as an option. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3408 https://access.redhat.com/errata/RHSA-2018:3408 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3541 https://access.redhat.com/errata/RHSA-2018:3541 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0316 https://access.redhat.com/errata/RHSA-2020:0316 |