Bug 1781971 (CVE-2019-19604)

Summary: CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, aileenc, amahdal, aos-bugs, besser82, bmontgom, c.david86, chazlett, chrisw, drieden, eparis, ggaughan, hhorak, i, icq, igor.raits, janstey, jburrell, jochrist, jokerman, jorton, jwon, klember, nstielau, opohorel, pbhattac, pcahyna, pstodulk, sebastian.kisela, sponnaga, tmz, vbobade, walter.pete
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git 2.24.1, git 2.23.1, git 2.22.2, git 2.21.1, git 2.20.2 Doc Type: If docs needed, set a value
Doc Text:
A security bypass was discovered in git, which allows arbitrary commands to be executed during the update of git submodules. A remote attacker may trick a victim user into cloning a malicious repository that initially looks fine, allowing access to bypass the security mechanisms that prevent the execution of arbitrary commands during the submodule initialization. After following an update of the repository and the submodules done by the victim user, vulnerable versions of git may use the update setting in the .gitmodules file and execute arbitrary commands.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-20 21:19:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1781972, 1784637, 1784638, 1784639    
Bug Blocks: 1781145    

Description Pedro Sampaio 2019-12-11 00:40:55 UTC 
The change to disallow `submodule.<name>.update=!command` entries in`.gitmodules` which was introduced v2.15.4 (and for which v2.17.3 added explicit fsck checks) fixes the vulnerability in v2.20.x where a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (CVE-2019-19604).

References:

https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.20.2.txt
Comment 1 Pedro Sampaio 2019-12-11 00:41:38 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1781972]
Comment 2 Riccardo Schirone 2019-12-13 16:41:52 UTC 
oss-security mailing list reference:
https://www.openwall.com/lists/oss-security/2019/12/13/1
Comment 3 Riccardo Schirone 2019-12-13 16:43:19 UTC 
External References:

https://github.com/git/git/security/advisories/GHSA-cj5c-9839-g2ch
Comment 4 Riccardo Schirone 2019-12-17 10:52:02 UTC 
Upstream fix:
https://github.com/git/git/commit/e904deb89d9a9669a76a426182506a084d3f6308
Comment 6 Riccardo Schirone 2019-12-17 14:06:25 UTC 
Vulnerability introduced in commit https://github.com/git/git/commit/ee69b2a90c5031bffb3341c5e50653a6ecca89ac . First vulnerable upstream version is v2.20.0-rc0. Until that commit, once the submodule was initialized, the submodule.<name>.update setting in .gitmodules was not read again. Starting with commit ee69b2a90c5031bffb3341c5e50653a6ecca89ac in some cases it is possible to make git read the submodule.<name>.update setting from the .gitmodules, which could contain a command to execute.
Comment 8 Riccardo Schirone 2019-12-17 14:36:41 UTC 
During initialization of submodules git correctly prevents submodule.<name>.update setting from being set to `!command` values, as that may execute arbitrary commands. However, after commit https://github.com/git/git/commit/ee69b2a90c5031bffb3341c5e50653a6ecca89ac, an update of the git repository and the git submodules would make git re-read the submodule.<name>.update setting from the .gitmodules file, which can be changed by the owner of the remote repository. During the submodule update, however, git does not check for `!command` values and it allows arbitrary commands to be executed.
Comment 10 Riccardo Schirone 2019-12-17 15:33:09 UTC 
Statement:

This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6, and 7 as they did not support custom commands as a valid update setting for submodules.
This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 8 as they did no re-read the update setting from the .gitmodules file after the initialization of the submodules.
Comment 13 Pedro Sampaio 2019-12-17 21:19:07 UTC 
Created libgit2 tracking bugs for this issue:

Affects: epel-6 [bug 1784638]
Affects: fedora-all [bug 1784639]


Created libgit2-glib tracking bugs for this issue:

Affects: fedora-all [bug 1784637]
Comment 16 Product Security DevOps Team 2020-05-20 21:19:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19604