Bug 2280446 (CVE-2024-32465)

Summary: CVE-2024-32465 git: additional local RCE
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aprice, bdettelb, caswilli, chazlett, dfreiber, dkuc, drow, fjansen, gmalinko, hhorak, hkataria, janstey, jburrell, jmitchel, jorton, jsamir, jsherril, jtanner, kaycoth, kshier, mpierce, opohorel, orabin, pdelbell, rstepani, sidakwo, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git 2.45.1, git 2.44.1, git 2.43.4, git 2.42.2, git 2.41.1 , git 2.40.2, git 2.39.4 Doc Type: ---
Doc Text:
A flaw was found in Git in a full copy of a Git repository. A prerequisite for this vulnerability is for an unauthenticated attacker to place a specialized repository on their target's local system. If the victim were to clone this repository, it could result in arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2280447, 2280448, 2280449, 2280450, 2280451, 2280453, 2280454, 2280455, 2280456, 2280457, 2280459    
Bug Blocks: 2280416    

Description Nick Tait 2024-05-14 23:39:32 UTC 
The Git project recommends to avoid working in untrusted repositories, and instead to clone them first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed.

In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004.

But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository.
Comment 1 Nick Tait 2024-05-14 23:40:12 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 2280450]


Created rubygem-dynect_rest tracking bugs for this issue:

Affects: epel-all [bug 2280447]


Created rubygem-rouge tracking bugs for this issue:

Affects: fedora-all [bug 2280448]


Created rubygem-stringex tracking bugs for this issue:

Affects: fedora-all [bug 2280451]


Created swiftlint tracking bugs for this issue:

Affects: fedora-all [bug 2280449]
Comment 2 Nick Tait 2024-05-14 23:40:51 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 2280456]


Created rubygem-dynect_rest tracking bugs for this issue:

Affects: epel-all [bug 2280453]


Created rubygem-rouge tracking bugs for this issue:

Affects: fedora-all [bug 2280454]


Created rubygem-stringex tracking bugs for this issue:

Affects: fedora-all [bug 2280457]


Created swiftlint tracking bugs for this issue:

Affects: fedora-all [bug 2280455]
Comment 6 errata-xmlrpc 2024-06-25 08:18:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4084 https://access.redhat.com/errata/RHSA-2024:4084
Comment 7 errata-xmlrpc 2024-06-25 08:24:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4083 https://access.redhat.com/errata/RHSA-2024:4083
Comment 9 errata-xmlrpc 2024-07-08 11:21:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4368 https://access.redhat.com/errata/RHSA-2024:4368