A flaw was found in git which allows arbitrary code to be executed when running 'git clone --recurse-submodules` (or the deprecated 'git clone --recursive' synonym). A malicious repository can include a .gitmodules submodule config file which points outside of the repository. When git clones such a repository it can be tricked into running hooks within the cloned submodule, which is under the control of the attacker. References: https://public-inbox.org/git/xmqqy3g2flb6.fsf@gitster-ct.c.googlers.com/ https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html https://news.ycombinator.com/item?id=17181238
Updated Fedora builds have been submitted for current releases: F28: https://bodhi.fedoraproject.org/updates/FEDORA-2018-75f7624a9f F27: https://bodhi.fedoraproject.org/updates/FEDORA-2018-080a3d7866 Sites hosting git repositories can help mitigate the propagation of this issue to unpatched git clients by enabling 'transfer.fsckObjects'. (The hosting site should be running a patched git, of course.)
Created git tracking bugs for this issue: Affects: fedora-all [bug 1583878]
There is a simple way to test if you installation of 'git' is vulnerable: git init test && \ cd test && \ git update-index --add --cacheinfo 120000,e69de29bb2d1d6434b8b29ae775ad8c2e48c5391,.gitmodules Reference: https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html
External References: https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html
A user of Openshift Online does not have the ability to add new volumes. Therefore this vulnerability cannot be exploited by a user of Openshift Online by creating a volume from a GitRepo source [1]. The 'source-to-image' functionality in Openshift Online is currently affected. [1] https://docs.openshift.com/container-platform/3.9/dev_guide/volumes.html#adding-volumes
The 'git' binary is not installed in the RHEL Atomic base image, registry.access.redhat.com/rhel7-atomic.
git-2.17.1-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Is there someone working on a patch for 1.8.3.1 (RHEL7)?
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1957 https://access.redhat.com/errata/RHSA-2018:1957
Created libgit2 tracking bugs for this issue: Affects: fedora-all [bug 1595769]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Via RHSA-2018:2147 https://access.redhat.com/errata/RHSA-2018:2147
Mitigation: Don't create OCP source-to-image applications from source code repositories hosted by untrusted parties. Github is blocking users from pushing repositories with malicious submodules so it's less likely you can pull a malicious repository from there which triggers this vulnerability.
Statement: This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6 as they did not include the vulnerable code. If using OCP 3.6 make sure atomic-openshift-3.6.173.0.128-1.git.0.8da0828.el7 or later is installed on the master.
I was wrong, they were not the same package. The git binary reports the same version, but the package level is different and I guess something was patched between the two.