Bug 1826001 (CVE-2020-11008)

Summary: CVE-2020-11008 git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amahdal, besser82, c.david86, chrisw, hhorak, jorton, opohorel, pcahyna, pstodulk, sebastian.kisela, security-response-team, tmz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git 2.17.5, git 2.18.4, git 2.19.5, git 2.20.4, git 2.21.3, git 2.22.4, git 2.23.3, git 2.24.3, git 2.25.4, git 2.26.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in git where credentials can be leaked through the use of a crafted URL. The crafted URL must contain a newline, empty host, or lack a scheme so that the credential helper is fulled into giving the information of a different host to the client. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-29 22:31:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1826004, 1826005, 1826006, 1826007, 1826008, 1826009, 1826010, 1826011, 1826130, 1869466    
Bug Blocks: 1826003    
Attachments:
Description Flags
Upstream patch none

Description Huzaifa S. Sidhpurwala 2020-04-20 16:40:28 UTC 
As per upstream advisory:

With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.

Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter).

The attack has been made impossible by refusing to work with under-specified credential patterns.
Comment 1 Huzaifa S. Sidhpurwala 2020-04-20 16:40:32 UTC 
Acknowledgments:

Name: the Git project
Upstream: Carlo Arenas
Comment 4 Huzaifa S. Sidhpurwala 2020-04-20 16:49:07 UTC 
Created attachment 1680338 [details]
Upstream patch
Comment 5 Eric Christensen 2020-04-20 19:13:57 UTC 
Statement:

Red Hat Enterprise Linux 6 is not affected by this flaw as the vulnerable version of git, version 1.7.9-rc0 and later, was never made available for this product.
Comment 7 Huzaifa S. Sidhpurwala 2020-04-21 01:04:09 UTC 
Mitigation:

The most complete workaround is to disable credential helpers altogether:

~~~
git config --unset credential.helper
git config --global --unset credential.helper
git config --system --unset credential.helper
~~~

An alternative is to avoid malicious URLs:

1. Examine the hostname and username portion of URLs fed to git clone or git fetch for the presence of encoded newlines (%0A) or syntactic oddities (e.g., http:///host with three slashes).
2. Avoid using submodules with untrusted repositories (don't use git clone --recurse-submodules; use git submodule update only after examining the URLs found in .gitmodules).
3. Avoid tools which may run git clone on untrusted URLs under the hood.
4. Avoid using the credential helper by only cloning publicly available repositories.
Comment 8 Huzaifa S. Sidhpurwala 2020-04-21 01:06:02 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1826130]
Comment 9 Huzaifa S. Sidhpurwala 2020-04-21 01:08:19 UTC 
Upstream commit:
https://github.com/git/git/compare/v2.17.4...v2.17.5
Comment 10 Huzaifa S. Sidhpurwala 2020-04-21 01:08:32 UTC 
External References:

https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7
https://lore.kernel.org/git/xmqq4kterq5s.fsf@gitster.c.googlers.com/
Comment 15 errata-xmlrpc 2020-04-29 20:06:50 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:1975 https://access.redhat.com/errata/RHSA-2020:1975
Comment 16 Product Security DevOps Team 2020-04-29 22:31:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11008
Comment 17 errata-xmlrpc 2020-04-30 09:58:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:1979 https://access.redhat.com/errata/RHSA-2020:1979
Comment 18 errata-xmlrpc 2020-04-30 10:28:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1978 https://access.redhat.com/errata/RHSA-2020:1978
Comment 19 errata-xmlrpc 2020-04-30 11:14:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1980 https://access.redhat.com/errata/RHSA-2020:1980
Comment 20 errata-xmlrpc 2020-05-28 19:25:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2337 https://access.redhat.com/errata/RHSA-2020:2337
Comment 22 errata-xmlrpc 2020-08-31 09:15:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3581 https://access.redhat.com/errata/RHSA-2020:3581