Bug 2338289 (CVE-2024-52005)

Summary: CVE-2024-52005 git: The sideband payload is passed unfiltered to the terminal in git
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, chazlett, crizzo, dfreiber, drow, gmalinko, janstey, jburrell, jmitchel, jtanner, kshier, omaciel, pdelbell, rstepani, stcannon, vkumar, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Git. When cloning, fetching, or pushing from a server, informational or error messages are transported from the remote Git process to the client via a sideband channel. These messages are prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information or to mislead the user into executing untrusted scripts.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2338314, 2338315    
Bug Blocks:    

Description OSIDB Bzimport 2025-01-15 18:01:31 UTC 
Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.
Comment 2 errata-xmlrpc 2025-05-13 11:53:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7409 https://access.redhat.com/errata/RHSA-2025:7409
Comment 3 errata-xmlrpc 2025-05-13 15:58:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7482 https://access.redhat.com/errata/RHSA-2025:7482
Comment 4 errata-xmlrpc 2025-05-15 00:30:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:7640 https://access.redhat.com/errata/RHSA-2025:7640
Comment 5 errata-xmlrpc 2025-05-15 00:30:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:7641 https://access.redhat.com/errata/RHSA-2025:7641
Comment 6 errata-xmlrpc 2025-06-03 01:15:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8414 https://access.redhat.com/errata/RHSA-2025:8414