Bug 2073414 (CVE-2022-24765)

Summary: CVE-2022-24765 git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, besser82, caswilli, chrisw, dhalasz, fjansen, hhorak, jdelft, jkoehler, johannes, jorton, jwong, kaycoth, leskomw, micjohns, mvanderw, opohorel, psegedy, pstodulk, sebastian.kisela, security-response-team, sthirugn, tmz, tsasak, vkrizan, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git-2.30.3, git-2.31.2, git-2.32.1, git-2.33.2, git-2.34.2, git-2.35.2, and git-2.36.0-rc2 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 14:31:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2078716, 2078718, 2078719, 2078720    
Bug Blocks: 2073442    

Description Pedro Sampaio 2022-04-08 12:41:46 UTC 
On multi-user machines, Git users might find themselves unexpectedly in
a Git worktree, e.g. when there is a scratch space (`/scratch/`) intended
for all users and another user created a repository in `/scratch/.git`.
Merely having a Git-aware prompt that runs `git status` (or `git diff`)
and navigating to a directory which is supposedly not a Git worktree, or
opening such a directory in an editor or IDE such as VS Code or Atom, will
potentially run commands defined by that other user via `/scratch/.git/config`.
Comment 2 Todd Zullinger 2022-04-13 17:30:26 UTC 
Per https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ the issue has been fixed in git-2.30.3, git-2.31.2, git-2.32.1, git-2.33.2, git-2.34.2, git-2.35.2, and git-2.36.0-rc2.

I pushed 2.36.0.rc2 to rawhide late last night.  I'm going to wait just a bit before pushing any fixes to the stable releases.  I'd like to be more confident the changes don't cause major problems.  It could cause issue for CI workflows, for example.
Comment 3 Todd Zullinger 2022-04-14 02:19:54 UTC 
New releases for each of the maintenance tracks have been made which add the ability to specify 'safe.directory=*' as a broad "escape hatch" from the changes.

https://lore.kernel.org/git/xmqq1qy04iqa.fsf@gitster.g/ is the release announcement.

The relevant commits:

https://github.com/git/git/commit/e47363e5a8 (t0033: add tests for safe.directory, 2022-04-13)
https://github.com/git/git/commit/bb50ec3cc3 (setup: fix safe.directory key not being checked, 2022-04-13)
https://github.com/git/git/commit/0f85c4a30b (setup: opt-out of check with safe.directory=*, 2022-04-13)
Comment 4 Sandipan Roy 2022-04-26 05:54:56 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 2078716]
Comment 6 Todd Zullinger 2022-04-26 15:04:57 UTC 
The doc text seems slightly inaccurate.  There was no `safe.directory` option to check prior to this release.  It also doesn't allow access to the repository by any user.  The issue is that the owner of the repository can cause commands to be run for any other user who already has access to the repository (which can occur by just changing into the repository if the user has configured git to show repo info in their shell prompt).  Perhaps it could say something like this:

A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration.  This allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository.
Comment 7 juneau 2022-05-02 18:40:45 UTC 
marking Services affected/delegated for presence of affected code, however the incidence of this issue actually occurring would appear highly unlikely at best
Comment 11 errata-xmlrpc 2023-05-09 07:28:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2319 https://access.redhat.com/errata/RHSA-2023:2319
Comment 12 errata-xmlrpc 2023-05-16 08:20:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2859 https://access.redhat.com/errata/RHSA-2023:2859
Comment 13 Product Security DevOps Team 2023-05-16 14:31:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24765
Comment 15 errata-xmlrpc 2024-01-24 16:41:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0407 https://access.redhat.com/errata/RHSA-2024:0407