Bug 1781127 (CVE-2019-1387)

Summary: CVE-2019-1387 git: Remote code execution in recursive clones with nested submodules
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, amahdal, besser82, c.david86, chazlett, chrisw, drieden, ggaughan, hhorak, i, icq, igor.raits, janstey, jochrist, jorton, jwon, klember, opohorel, pcahyna, psampaio, pstodulk, sebastian.kisela, security-response-team, tmz, walter.pete
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git 2.24.1, git 2.23.1, git 2.22.2, git 2.21.1, git 2.20.2, git 2.19.3, git 2.18.2, git 2.17.3, git 2.16.6, git 2.15.4, git 2.14.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered where git improperly validates submodules' names used to construct git metadata paths and does not prevent them from being nested in existing directories used to store another submodule's metadata. A remote attacker could abuse this flaw to trick a victim user into cloning a malicious repository containing submodules, which, when recursively cloned, would trigger the flaw and remotely execute code on the victim's machine.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-19 20:09:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1781954, 1784055, 1784056, 1784057, 1784058, 1784059, 1784060, 1784061, 1784610, 1784611, 1784614    
Bug Blocks: 1781145    

Description Dhananjay Arunesh 2019-12-09 11:46:43 UTC 
Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.

References:

https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.14.6.txt
Comment 1 Pedro Sampaio 2019-12-11 00:00:12 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1781954]
Comment 2 Riccardo Schirone 2019-12-13 10:41:38 UTC 
Upstream patch:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=a8dee3ca610f5a1d403634492136c887f83b59d2
Comment 3 Riccardo Schirone 2019-12-13 16:22:15 UTC 
External References:

https://github.com/git/git/security/advisories/GHSA-4wfr-gwrh-8mj2
Comment 4 Riccardo Schirone 2019-12-13 16:22:39 UTC 
oss-security mailing list reference:
https://www.openwall.com/lists/oss-security/2019/12/13/1
Comment 7 Riccardo Schirone 2019-12-16 14:38:55 UTC 
Submodules names are used to construct the path of the gitdir associated with the submodule, however git does not correctly validate those names, allowing a submodule gitdir to be nested inside the gitdir of another submodule. Given the gitdir directory of submodules also contains scripts that are executed by git during various operations, it is risky to allow such nested paths. In some circumstances, it is possible for an attacker to trick a user into recursively cloning a malicious repository which, when cloned, would allow the attacker to remotely execute code on the victim's machine.
Comment 8 Riccardo Schirone 2019-12-16 14:40:21 UTC 
The only known exploit at this time would allow for just very targeted attacks, where the user.name, user.email and a the rough time window when the repositories will be cloned recursively are known to the attacker. However we do not exclude other ways may exist.
Comment 9 Riccardo Schirone 2019-12-16 14:51:25 UTC 
Statement:

This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6 as they did not use submodules names to construct git metadata paths.
Comment 11 Riccardo Schirone 2019-12-16 15:28:20 UTC 
Mitigation:

Avoid running `git clone --recurse-submodules` and `git submodule update` with untrusted repositories.
Comment 12 msiddiqu 2019-12-17 20:43:40 UTC 
Created libgit2 tracking bugs for this issue:

Affects: epel-6 [bug 1784611]
Affects: fedora-all [bug 1784610]
Comment 13 msiddiqu 2019-12-17 20:49:46 UTC 
Created libgit2-glib tracking bugs for this issue:

Affects: fedora-all [bug 1784614]
Comment 15 Jason Shepherd 2019-12-18 02:10:12 UTC 
OpenShift Container Platform 3, and 4 use git from Red Hat Enterprise Linux (RHEL). Once an update for git in RHEL is available it will be rebuilt into affected OCP container images.
Comment 17 errata-xmlrpc 2019-12-19 18:43:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:4356 https://access.redhat.com/errata/RHSA-2019:4356
Comment 18 Product Security DevOps Team 2019-12-19 20:09:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1387
Comment 19 errata-xmlrpc 2020-01-02 08:53:56 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:0002 https://access.redhat.com/errata/RHSA-2020:0002
Comment 24 errata-xmlrpc 2020-01-16 13:50:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0124 https://access.redhat.com/errata/RHSA-2020:0124
Comment 26 errata-xmlrpc 2020-01-27 08:54:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0228 https://access.redhat.com/errata/RHSA-2020:0228