Bug 1781127 (CVE-2019-1387)
Summary: | CVE-2019-1387 git: Remote code execution in recursive clones with nested submodules | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aileenc, amahdal, besser82, c.david86, chazlett, chrisw, drieden, ggaughan, hhorak, i, icq, igor.raits, janstey, jochrist, jorton, jwon, klember, opohorel, pcahyna, psampaio, pstodulk, sebastian.kisela, security-response-team, tmz, walter.pete |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | git 2.24.1, git 2.23.1, git 2.22.2, git 2.21.1, git 2.20.2, git 2.19.3, git 2.18.2, git 2.17.3, git 2.16.6, git 2.15.4, git 2.14.6 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was discovered where git improperly validates submodules' names used to construct git metadata paths and does not prevent them from being nested in existing directories used to store another submodule's metadata. A remote attacker could abuse this flaw to trick a victim user into cloning a malicious repository containing submodules, which, when recursively cloned, would trigger the flaw and remotely execute code on the victim's machine.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-12-19 20:09:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1781954, 1784055, 1784056, 1784057, 1784058, 1784059, 1784060, 1784061, 1784610, 1784611, 1784614 | ||
Bug Blocks: | 1781145 |
Description
Dhananjay Arunesh
2019-12-09 11:46:43 UTC
Created git tracking bugs for this issue: Affects: fedora-all [bug 1781954] Upstream patch: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a8dee3ca610f5a1d403634492136c887f83b59d2 External References: https://github.com/git/git/security/advisories/GHSA-4wfr-gwrh-8mj2 oss-security mailing list reference: https://www.openwall.com/lists/oss-security/2019/12/13/1 Submodules names are used to construct the path of the gitdir associated with the submodule, however git does not correctly validate those names, allowing a submodule gitdir to be nested inside the gitdir of another submodule. Given the gitdir directory of submodules also contains scripts that are executed by git during various operations, it is risky to allow such nested paths. In some circumstances, it is possible for an attacker to trick a user into recursively cloning a malicious repository which, when cloned, would allow the attacker to remotely execute code on the victim's machine. The only known exploit at this time would allow for just very targeted attacks, where the user.name, user.email and a the rough time window when the repositories will be cloned recursively are known to the attacker. However we do not exclude other ways may exist. Statement: This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6 as they did not use submodules names to construct git metadata paths. Mitigation: Avoid running `git clone --recurse-submodules` and `git submodule update` with untrusted repositories. Created libgit2 tracking bugs for this issue: Affects: epel-6 [bug 1784611] Affects: fedora-all [bug 1784610] Created libgit2-glib tracking bugs for this issue: Affects: fedora-all [bug 1784614] OpenShift Container Platform 3, and 4 use git from Red Hat Enterprise Linux (RHEL). Once an update for git in RHEL is available it will be rebuilt into affected OCP container images. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:4356 https://access.redhat.com/errata/RHSA-2019:4356 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-1387 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:0002 https://access.redhat.com/errata/RHSA-2020:0002 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0124 https://access.redhat.com/errata/RHSA-2020:0124 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0228 https://access.redhat.com/errata/RHSA-2020:0228 |