Bug 2076843 (CVE-2022-25648)

Summary: CVE-2022-25648 ruby-git: package vulnerable to Command Injection via git argument injection
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: bbuckingham, bcourt, btotty, ehelms, jsherril, lzap, mhulan, myarboro, nmoumoul, orabin, pcreech, praiskup, rchan, steve.traylen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ruby-git 1.11.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ruby-git, where the package is vulnerable to command injection via the git argument. This flaw allows an attacker to set additional flags, which leads to performing command injections.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-07 09:32:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2077012, 2077013, 2077014, 2088443    
Bug Blocks: 2076844    

Description Sandipan Roy 2022-04-20 04:31:36 UTC 
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

https://snyk.io/vuln/SNYK-RUBY-GIT-2421270
https://github.com/ruby-git/ruby-git/releases/tag/v1.11.0
https://github.com/ruby-git/ruby-git/pull/569
Comment 1 Todd Zullinger 2022-04-20 12:16:10 UTC 
This should refer to the rubygem-git component in the title of the ticket and the Cc list.  It's not, so far as I can tell, a bug in the git package.  (It's a misleading and inaccurate that the snyk.io link refers to it as "git" without making it clear this is the rubygem git library.)
Comment 2 Sandipan Roy 2022-04-20 12:59:30 UTC 
Created rubygem-git tracking bugs for this issue:

Affects: epel-8 [bug 2077012]
Affects: fedora-34 [bug 2077013]
Affects: fedora-35 [bug 2077014]
Comment 3 Borja Tarraso 2022-05-19 13:00:56 UTC 
After reviewing the CVSS, rescore was needed, making it as critical.

As the flaw generally would require some permissions to exploit for most of the cases, the impact for most of the scenarios would kept as important, but it could be cases which the impact for the library in worst case can be considered critical.

Due to the fact that only one of our Red Hat Satellite 10 is affected (we only ship code but do not use it), we anticipate a low or moderate impact there.
Comment 9 errata-xmlrpc 2022-11-16 13:32:13 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.12 for RHEL 8

Via RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506
Comment 10 Product Security DevOps Team 2022-12-07 09:32:51 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-25648