When using submodule paths that refer to the same file system entity (e.g. using the NTFS Alternate Data Streams attack mentioned in CVE-2019-1352 where files would be written to the `.git/` directory using a synonymous directory name), it was possible to "squat" on the `git~1` shortname on NTFS drives, opening attacks via `git~2`. This also affects Git when run as a Linux application inside the Windows Subsystem for Linux. References: https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.14.6.txt
Created git tracking bugs for this issue: Affects: fedora-all [bug 1781957]
oss-security mailing list reference: https://www.openwall.com/lists/oss-security/2019/12/13/1
External References: https://github.com/git/git/security/advisories/GHSA-4qvh-qvv7-frc7
Upstream fix: https://github.com/git/git/commit/0060fd1511b94c918928fa3708f69a3f33895a4a
Mitigation: Avoid running `git clone --recurse-submodules` and `git submodule update` with untrusted repositories.
Git may be tricked into using a non-empty directory as a path for a submodule while recursively cloning a repository. This could potentially be used to overwrite the .git directory and remotely execute code. However, this mainly affects Git for Windows and although in theory it may affects any platform where Git is used to clone onto a mounted network drive, we believe a Moderate impact better reflects the flaw. This rating is given to flaws that may be more difficult to exploit but could still lead to some compromise of the system under certain circumstances.
The versions of git as shipped with Red Hat Enterprise Linux 6 already perform a check in the module_clone() function in git-submodule.sh, to ensure that the path is empty. If it is not, it tries to remove it and fail if that is not possible. The versions of git as shipped with Red Hat Enterprise Linux 7, and 8 do not perform any check on the path during the module_clone() function, thus they are potentially affected by this flaw.
Created libgit2 tracking bugs for this issue: Affects: epel-6 [bug 1784617] Affects: fedora-all [bug 1784616] Created libgit2-glib tracking bugs for this issue: Affects: fedora-all [bug 1784615]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:4356 https://access.redhat.com/errata/RHSA-2019:4356
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-1349
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:0002 https://access.redhat.com/errata/RHSA-2020:0002
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0228 https://access.redhat.com/errata/RHSA-2020:0228