Bug 1653143 (CVE-2018-19486) - CVE-2018-19486 git: Improper handling of PATH allows for commands to be executed from the current directory
Summary: CVE-2018-19486 git: Improper handling of PATH allows for commands to be execu...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-19486
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1653144 1653534 1653538 1653539
Blocks: 1653150
TreeView+ depends on / blocked
 
Reported: 2018-11-26 04:35 UTC by Sam Fowler
Modified: 2019-09-29 15:03 UTC (History)
15 users (show)

Fixed In Version: git 2.19.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-11 15:43:32 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3800 None None None 2018-12-10 08:11:30 UTC

Description Sam Fowler 2018-11-26 04:35:45 UTC
Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.


Upstream Patch:

https://git.kernel.org/pub/scm/git/git.git/commit/?id=321fd823


Reference:

https://git.kernel.org/pub/scm/git/git.git/tree/Documentation/RelNotes/2.19.2.txt

Comment 1 Sam Fowler 2018-11-26 04:36:21 UTC
Created git tracking bugs for this issue:

Affects: epel-all [bug 1653145]
Affects: fedora-all [bug 1653144]

Comment 5 Pavel Cahyna 2018-11-27 10:20:29 UTC
The change in question (e3a434468f) appeared first in 2.13.2 and 2.14.

Comment 7 errata-xmlrpc 2018-12-10 08:11:29 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3800 https://access.redhat.com/errata/RHSA-2018:3800


Note You need to log in before you can comment on or make changes to this bug.