Bug 1822020 (CVE-2020-5260)

Summary: CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amahdal, besser82, bugzilla, c.david86, chrisw, fedora, hhorak, hpd-redhat, jorton, opohorel, pcahyna, pstodulk, sebastian.kisela, security-response-team, tmz, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git 2.17.4, git 2.18.3, git 2.19.4, git 2.20.3, git 2.21.2, git 2.22.3, git 2.23.2, git 2.24.2, git 2.25.3, git 2.26.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in git. Credentials can be leaked through the use of a crafted URL that contains a newline, fooling the credential helper to give information for a different host. Highest threat from the vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-21 10:31:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1822046, 1822047, 1822048, 1822049, 1822050, 1822051, 1822095, 1822096, 1824020, 1872717    
Bug Blocks: 1822021    
Attachments:
Description Flags
Upstream patch-set none

Description Huzaifa S. Sidhpurwala 2020-04-08 05:09:12 UTC 
As per upstream security advisory:

With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host.  The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol.
Comment 1 Huzaifa S. Sidhpurwala 2020-04-08 05:14:25 UTC 
Acknowledgments:

Name: the Git project
Upstream: Felix Wilhelm (Google project zero)
Comment 2 Huzaifa S. Sidhpurwala 2020-04-08 05:24:44 UTC 
Created attachment 1677136 [details]
Upstream patch-set
Comment 6 Eric Christensen 2020-04-09 15:16:28 UTC 
Statement:

Red Hat Enterprise Linux 6 is not affected by this flaw as the vulnerable version of git, version 1.7.9-rc0 and later, was never packaged for this instance of RHEL.
Comment 7 Huzaifa S. Sidhpurwala 2020-04-15 05:14:10 UTC 
Upstream patch: https://github.com/git/git/compare/v2.17.3...v2.17.4
Comment 8 Huzaifa S. Sidhpurwala 2020-04-15 05:14:16 UTC 
External References:

https://lore.kernel.org/git/xmqqy2qy7xn8.fsf@gitster.c.googlers.com/
https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
Comment 10 Huzaifa S. Sidhpurwala 2020-04-15 05:14:54 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1824020]
Comment 11 Huzaifa S. Sidhpurwala 2020-04-15 05:17:15 UTC 
Mitigation:

The most complete workaround is to disable credential helpers altogether:
~~~
git config --unset credential.helper
git config --global --unset credential.helper
git config --system --unset credential.helper
~~~

An alternative is to avoid malicious URLs:
1. Examine the hostname and username portion of URLs fed to git clone for the presence of encoded newlines (%0a) or evidence of credential-protocol injections (e.g., host=github.com)
2. Avoid using submodules with untrusted repositories (don't use clone --recurse-submodules; use git submodule update only after examining the URLs found in .gitmodules)
3. Avoid tools which may run git clone on untrusted URLs under the hood
Comment 12 errata-xmlrpc 2020-04-21 08:05:08 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:1503 https://access.redhat.com/errata/RHSA-2020:1503
Comment 13 Product Security DevOps Team 2020-04-21 10:31:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5260
Comment 14 errata-xmlrpc 2020-04-21 11:14:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1511 https://access.redhat.com/errata/RHSA-2020:1511
Comment 15 errata-xmlrpc 2020-04-21 17:19:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1518 https://access.redhat.com/errata/RHSA-2020:1518
Comment 16 errata-xmlrpc 2020-04-21 17:48:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1513 https://access.redhat.com/errata/RHSA-2020:1513
Comment 20 errata-xmlrpc 2020-08-31 09:15:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3581 https://access.redhat.com/errata/RHSA-2020:3581