Bug 2280466 (CVE-2024-32020)

Summary: CVE-2024-32020 git: insecure hardlinks
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aprice, bdettelb, caswilli, chazlett, dfreiber, dkuc, drow, fjansen, gmalinko, hhorak, hkataria, janstey, jburrell, jmitchel, jorton, jsamir, jsherril, jtanner, kaycoth, kshier, mpierce, opohorel, orabin, pdelbell, rstepani, sidakwo, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git 2.45.1, git 2.44.1, git 2.43.4, git 2.42.2, git 2.41.1 , git 2.40.2, git 2.39.4 Doc Type: ---
Doc Text:
A vulnerability was found in Git. This flaw allows an unauthenticated attacker to place a specialized repository on their target's local system. For performance reasons, Git uses hardlinks when cloning a repository located on the same disk. However, if the repo being cloned is owned by a different user, this can introduce a security risk. At any time in the future, the original repo owner could rewrite the hardlinked files in the cloned user's repo.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2280467, 2280468, 2280469, 2280470, 2280471, 2280473, 2280474, 2280475, 2280476, 2280477, 2280478    
Bug Blocks: 2280416    

Description Nick Tait 2024-05-14 23:52:09 UTC 
Local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user.
Comment 1 Nick Tait 2024-05-14 23:52:50 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 2280470]


Created rubygem-dynect_rest tracking bugs for this issue:

Affects: epel-all [bug 2280467]


Created rubygem-rouge tracking bugs for this issue:

Affects: fedora-all [bug 2280468]


Created rubygem-stringex tracking bugs for this issue:

Affects: fedora-all [bug 2280471]


Created swiftlint tracking bugs for this issue:

Affects: fedora-all [bug 2280469]
Comment 2 Nick Tait 2024-05-14 23:53:22 UTC 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 2280476]


Created rubygem-dynect_rest tracking bugs for this issue:

Affects: epel-all [bug 2280473]


Created rubygem-rouge tracking bugs for this issue:

Affects: fedora-all [bug 2280474]


Created rubygem-stringex tracking bugs for this issue:

Affects: fedora-all [bug 2280477]


Created swiftlint tracking bugs for this issue:

Affects: fedora-all [bug 2280475]
Comment 6 errata-xmlrpc 2024-06-25 08:18:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4084 https://access.redhat.com/errata/RHSA-2024:4084
Comment 7 errata-xmlrpc 2024-06-25 08:24:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4083 https://access.redhat.com/errata/RHSA-2024:4083
Comment 9 errata-xmlrpc 2024-07-08 11:21:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4368 https://access.redhat.com/errata/RHSA-2024:4368