Bug 1269794 (CVE-2015-7545) - CVE-2015-7545 git: arbitrary code execution via crafted URLs
Summary: CVE-2015-7545 git: arbitrary code execution via crafted URLs
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-7545
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1269797 1269798 1273889 1273890 1274737
Blocks: 1269795
TreeView+ depends on / blocked
 
Reported: 2015-10-08 08:53 UTC by Martin Prpič
Modified: 2019-09-29 13:37 UTC (History)
17 users (show)

Fixed In Version: git 2.6.1, git 2.3.10
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system.
Clone Of:
Environment:
Last Closed: 2015-12-09 20:35:04 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2515 normal SHIPPED_LIVE Moderate: git19-git security update 2015-11-25 22:18:18 UTC
Red Hat Product Errata RHSA-2015:2561 normal SHIPPED_LIVE Moderate: git security update 2015-12-08 15:28:08 UTC

Description Martin Prpič 2015-10-08 08:53:43 UTC
The following issue was fixed in Git version 2.6.1:

* Some protocols (like git-remote-ext) can execute arbitrary code found in the URL. The URLs that submodules use may come from arbitrary sources (e.g., .gitmodules files in a remote repository), and can hurt those who blindly enable recursive fetch. Restrict the allowed protocols to well known and safe ones.

Upstream patches:

https://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/

CVE request:

http://seclists.org/oss-sec/2015/q4/37

Comment 1 Martin Prpič 2015-10-08 08:56:06 UTC
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1269797]
Affects: epel-5 [bug 1269798]

Comment 3 Ján Rusnačko 2015-10-14 15:16:38 UTC
Blake Burkhart on oss-security:

"
Arbitrary shell command execution from .gitmodules:

Git allows executing arbitrary shell commands using git-remote-ext via a
remote URLs. Normally git never requests URLs that the user doesn't
specifically request, so this is not a serious security concern. However,
submodules did allow the remote repository to specify what URL to clone
from.

If an attacker can instruct a user to run a recursive clone from a
repository they control, they can get a client to run an arbitrary shell
command. Alternately, if an attacker can MITM an unencrypted git clone,
they could exploit this. The ext command will be run if the repository is
recursively cloned or if submodules are updated. This attack works when
cloning both local and remote repositories.

a5adace and 33cfccb fixed this behavior by introducing a whitelist of
allowed protocols for all git submodule operations.
"

Analysis:
From `man git-remote-ext`:

  "This remote helper is transparently used by Git when you use commands such as "git fetch <URL>", "git clone <URL>", , "git push <URL>" or "git remote add <nick> <URL>", where <URL> begins with ext::. "

So given a URL in format "ext::<command>[ <arguments>...]", this helper uses specified <command> to connect to a remote Git server.

This was not filtered, so arbitrary command injected here leads to command execution.

In order to be vulnerable, victim needs to fetch the data from attacker supplied URL without noticing. One such attack is described above.

Mitigation:

Avoid recursive cloning or updating of git submodules without checking the submodule URL. Non-recursive cloning is the default in git, so user needs to change this to become vulnerable ("e.g. by specifying --recursive").

Comment 6 Fedora Update System 2015-11-02 18:51:40 UTC
git-2.5.0-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-11-08 09:49:02 UTC
git-2.4.3-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 errata-xmlrpc 2015-11-25 17:18:40 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2015:2515 https://rhn.redhat.com/errata/RHSA-2015-2515.html

Comment 9 errata-xmlrpc 2015-12-08 10:28:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2561 https://rhn.redhat.com/errata/RHSA-2015-2561.html

Comment 10 Fedora Update System 2016-01-02 19:53:17 UTC
git-1.8.2.1-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.