Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. References: https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.14.6.txt
Created git tracking bugs for this issue: Affects: fedora-all [bug 1781954]
Upstream patch: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a8dee3ca610f5a1d403634492136c887f83b59d2
External References: https://github.com/git/git/security/advisories/GHSA-4wfr-gwrh-8mj2
oss-security mailing list reference: https://www.openwall.com/lists/oss-security/2019/12/13/1
Submodules names are used to construct the path of the gitdir associated with the submodule, however git does not correctly validate those names, allowing a submodule gitdir to be nested inside the gitdir of another submodule. Given the gitdir directory of submodules also contains scripts that are executed by git during various operations, it is risky to allow such nested paths. In some circumstances, it is possible for an attacker to trick a user into recursively cloning a malicious repository which, when cloned, would allow the attacker to remotely execute code on the victim's machine.
The only known exploit at this time would allow for just very targeted attacks, where the user.name, user.email and a the rough time window when the repositories will be cloned recursively are known to the attacker. However we do not exclude other ways may exist.
Statement: This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6 as they did not use submodules names to construct git metadata paths.
Mitigation: Avoid running `git clone --recurse-submodules` and `git submodule update` with untrusted repositories.
Created libgit2 tracking bugs for this issue: Affects: epel-6 [bug 1784611] Affects: fedora-all [bug 1784610]
Created libgit2-glib tracking bugs for this issue: Affects: fedora-all [bug 1784614]
OpenShift Container Platform 3, and 4 use git from Red Hat Enterprise Linux (RHEL). Once an update for git in RHEL is available it will be rebuilt into affected OCP container images.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:4356 https://access.redhat.com/errata/RHSA-2019:4356
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-1387
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:0002 https://access.redhat.com/errata/RHSA-2020:0002
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0124 https://access.redhat.com/errata/RHSA-2020:0124
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0228 https://access.redhat.com/errata/RHSA-2020:0228