This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1269794 - (CVE-2015-7545) CVE-2015-7545 git: arbitrary code execution via crafted URLs
CVE-2015-7545 git: arbitrary code execution via crafted URLs
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151005,repor...
: Security
Depends On: 1269797 1269798 1273889 1273890 1274737
Blocks: 1269795
  Show dependency treegraph
 
Reported: 2015-10-08 04:53 EDT by Martin Prpič
Modified: 2016-01-02 14:53 EST (History)
17 users (show)

See Also:
Fixed In Version: git 2.6.1, git 2.3.10
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-09 15:35:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpič 2015-10-08 04:53:43 EDT
The following issue was fixed in Git version 2.6.1:

* Some protocols (like git-remote-ext) can execute arbitrary code found in the URL. The URLs that submodules use may come from arbitrary sources (e.g., .gitmodules files in a remote repository), and can hurt those who blindly enable recursive fetch. Restrict the allowed protocols to well known and safe ones.

Upstream patches:

https://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/

CVE request:

http://seclists.org/oss-sec/2015/q4/37
Comment 1 Martin Prpič 2015-10-08 04:56:06 EDT
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1269797]
Affects: epel-5 [bug 1269798]
Comment 3 Ján Rusnačko 2015-10-14 11:16:38 EDT
Blake Burkhart on oss-security:

"
Arbitrary shell command execution from .gitmodules:

Git allows executing arbitrary shell commands using git-remote-ext via a
remote URLs. Normally git never requests URLs that the user doesn't
specifically request, so this is not a serious security concern. However,
submodules did allow the remote repository to specify what URL to clone
from.

If an attacker can instruct a user to run a recursive clone from a
repository they control, they can get a client to run an arbitrary shell
command. Alternately, if an attacker can MITM an unencrypted git clone,
they could exploit this. The ext command will be run if the repository is
recursively cloned or if submodules are updated. This attack works when
cloning both local and remote repositories.

a5adace and 33cfccb fixed this behavior by introducing a whitelist of
allowed protocols for all git submodule operations.
"

Analysis:
From `man git-remote-ext`:

  "This remote helper is transparently used by Git when you use commands such as "git fetch <URL>", "git clone <URL>", , "git push <URL>" or "git remote add <nick> <URL>", where <URL> begins with ext::. "

So given a URL in format "ext::<command>[ <arguments>...]", this helper uses specified <command> to connect to a remote Git server.

This was not filtered, so arbitrary command injected here leads to command execution.

In order to be vulnerable, victim needs to fetch the data from attacker supplied URL without noticing. One such attack is described above.

Mitigation:

Avoid recursive cloning or updating of git submodules without checking the submodule URL. Non-recursive cloning is the default in git, so user needs to change this to become vulnerable ("e.g. by specifying --recursive").
Comment 6 Fedora Update System 2015-11-02 13:51:40 EST
git-2.5.0-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-11-08 04:49:02 EST
git-2.4.3-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 errata-xmlrpc 2015-11-25 12:18:40 EST
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2015:2515 https://rhn.redhat.com/errata/RHSA-2015-2515.html
Comment 9 errata-xmlrpc 2015-12-08 05:28:47 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2561 https://rhn.redhat.com/errata/RHSA-2015-2561.html
Comment 10 Fedora Update System 2016-01-02 14:53:17 EST
git-1.8.2.1-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.