Bug 1935158 (CVE-2021-21300)

Summary: CVE-2021-21300 git: remote code execution during clone operation on case-insensitive filesystems
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, aos-bugs, besser82, bmontgom, chrisw, eparis, hhorak, jburrell, johannes, jorton, kaycoth, nstielau, opohorel, pstodulk, sebastian.kisela, sponnaga, tmz, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git 2.17.6, git 2.18.5, git 2.19.6, git 2.20.5, git 2.21.4, git 2.22.5, git 2.23.4, git 2.24.4, git 2.25.5, git 2.26.3, git 2.27.1, git 2.28.1, git 2.29.3, git 2.30.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in git, in which a specially-crafted repository that contains a symbolic link may cause just-checked out script to be executed while cloning.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1935529, 1935530, 1935531, 1935532, 1935533, 1937166, 1937343, 1937344, 1937345, 1937346, 1937347    
Bug Blocks: 1935161    
Attachments:
Description Flags
git upstream patch against v2.17.6 none

Description Guilherme de Almeida Suckevicz 2021-03-04 13:17:29 UTC 
On case-insensitive filesystems, with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone.
Comment 3 Huzaifa S. Sidhpurwala 2021-03-05 03:44:52 UTC 
Created attachment 1760809 [details]
git upstream patch against v2.17.6
Comment 6 Huzaifa S. Sidhpurwala 2021-03-10 02:56:48 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1937166]
Comment 8 Huzaifa S. Sidhpurwala 2021-03-10 02:58:35 UTC 
Mitigation:

If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work.
Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. before cloning), the attack is foiled.
As always, it is best to avoid cloning repositories from untrusted sources.
Comment 10 Todd Zullinger 2021-03-10 06:27:50 UTC 
(In reply to Huzaifa S. Sidhpurwala from comment #9)
> Statement:
> 
> This vulnerability affects case-insensitive file systems, therefore typical
> Linux scenarios should be safe. However as per upstream exploitation is even
> possible on Linux under certain circumstances.

Those circumstance would be running git on a case-insensitive filesystem with support for symbolic links when certain clean/smudge filters are configured globally (e.g. Git LFS), correct?  I know when I read the announcement earlier today I didn't think many Fedora Linux users should be vulnerable to this issue.
Comment 11 Florencio Cano 2021-03-10 12:44:26 UTC 
Acknowledgments:

Name: Matheus Tavares
Comment 13 Todd Cullum 2021-03-22 19:05:13 UTC 
Statement:

This vulnerability affects case-insensitive file systems, therefore typical Linux scenarios should be safe. However as per upstream exploitation is even possible on Linux under certain circumstances.

Red Hat CodeReady Studio 12 is not affected by this flaw because Jboss Forge Addon uses jgit which is a different (Java) git implementation than git itself.