Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1636619 - (CVE-2018-17456) CVE-2018-17456 git: arbitrary code execution via .gitmodules
CVE-2018-17456 git: arbitrary code execution via .gitmodules
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20181005,repo...
: Security
Depends On: 1636622 1637206 1637207 1637208 1637209 1637210 1637211 1637212 1637214 1637215 1638265 1638266 1638269 1638271 1636620 1636621 1637216 1637217 1638270 1638275
Blocks: 1636623
  Show dependency treegraph
 
Reported: 2018-10-05 17:44 EDT by Laura Pardo
Modified: 2018-10-30 12:58 EDT (History)
45 users (show)

See Also:
Fixed In Version: git 2.14.5, git 2.15.3, git 2.16.5, git 2.17.2, git 2.18.1, git 2.19.1
Doc Type: If docs needed, set a value
Doc Text:
An option injection flaw has been discovered in git when it recursively clones a repository with sub-modules. A remote attacker may configure a malicious repository and trick a user into recursively cloning it, thus executing arbitrary commands on the victim's machine.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3408 None None None 2018-10-30 12:58 EDT

  None (edit)
Description Laura Pardo 2018-10-05 17:44:24 EDT 
A flaw was found in git which allows an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with --recurse-submodules.


References:
https://bugzilla.novell.com/show_bug.cgi?id=1110949
https://groups.google.com/forum/#!topic/git-packagers/fNLXf6LQC08
Comment 1 Laura Pardo 2018-10-05 17:44:54 EDT 
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1636620]


Created libgit2 tracking bugs for this issue:

Affects: fedora-all [bug 1636621]
Comment 5 Jason Shepherd 2018-10-08 02:15:58 EDT 
Statement:

OpenShift Container Platform (OCP) source-to-image uses the git client packaged with the OCP container images. Since RHEL7 and its associated images are impacted, source-to-image is also impacted. The atomic-openshift package running on the masters controls the code that determines the source-to-image build image in use, therefore a cluster update is required to patch this issue. Full instructions will be provided in Security Errata provided for this issue.

In OCP 3.6 and earlier, source-to-image executes in a privileged container on the node. Therefore the severity of this CVE is important for these versions. OCP 3.7 and later execute source-to-image git pulls in an unprivileged init container.
Comment 9 Riccardo Schirone 2018-10-10 05:13:24 EDT 
git does not properly pass the `url` and `path` fields of a submodule to the git-clone command, when recursively cloning a repository with git sub-modules. If the `url` field begins with a `-`(dash) this is going to be interpreted as an option.
Comment 17 errata-xmlrpc 2018-10-30 12:58:39 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3408 https://access.redhat.com/errata/RHSA-2018:3408
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.