Bug 1822020 (CVE-2020-5260) - CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak
Summary: CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-5260
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1822050 1822051 1822046 1822047 1822048 1822049 1822095 1822096 1824020 1872717
Blocks: 1822021
TreeView+ depends on / blocked
 
Reported: 2020-04-08 05:09 UTC by Huzaifa S. Sidhpurwala
Modified: 2020-08-31 09:15 UTC (History)
16 users (show)

Fixed In Version: git 2.17.4, git 2.18.3, git 2.19.4, git 2.20.3, git 2.21.2, git 2.22.3, git 2.23.2, git 2.24.2, git 2.25.3, git 2.26.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in git. Credentials can be leaked through the use of a crafted URL that contains a newline, fooling the credential helper to give information for a different host. Highest threat from the vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2020-04-21 10:31:57 UTC


Attachments (Terms of Use)
Upstream patch-set (13.50 KB, patch)
2020-04-08 05:24 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1971 None None None 2020-04-29 15:40:35 UTC
Red Hat Product Errata RHBA-2020:2042 None None None 2020-05-06 19:39:22 UTC
Red Hat Product Errata RHBA-2020:2043 None None None 2020-05-06 19:37:21 UTC
Red Hat Product Errata RHBA-2020:2105 None None None 2020-05-12 14:34:28 UTC
Red Hat Product Errata RHBA-2020:2138 None None None 2020-05-13 14:04:38 UTC
Red Hat Product Errata RHBA-2020:2177 None None None 2020-05-18 09:50:05 UTC
Red Hat Product Errata RHBA-2020:2244 None None None 2020-05-21 15:23:09 UTC
Red Hat Product Errata RHBA-2020:2245 None None None 2020-05-21 15:25:19 UTC
Red Hat Product Errata RHSA-2020:1503 None None None 2020-04-21 08:05:09 UTC
Red Hat Product Errata RHSA-2020:1511 None None None 2020-04-21 11:14:05 UTC
Red Hat Product Errata RHSA-2020:1513 None None None 2020-04-21 17:48:40 UTC
Red Hat Product Errata RHSA-2020:1518 None None None 2020-04-21 17:19:18 UTC
Red Hat Product Errata RHSA-2020:3581 None None None 2020-08-31 09:15:20 UTC

Description Huzaifa S. Sidhpurwala 2020-04-08 05:09:12 UTC
As per upstream security advisory:

With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host.  The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol.

Comment 1 Huzaifa S. Sidhpurwala 2020-04-08 05:14:25 UTC
Acknowledgments:

Name: the Git project
Upstream: Felix Wilhelm (Google project zero)

Comment 2 Huzaifa S. Sidhpurwala 2020-04-08 05:24:44 UTC
Created attachment 1677136 [details]
Upstream patch-set

Comment 6 Eric Christensen 2020-04-09 15:16:28 UTC
Statement:

Red Hat Enterprise Linux 6 is not affected by this flaw as the vulnerable version of git, version 1.7.9-rc0 and later, was never packaged for this instance of RHEL.

Comment 7 Huzaifa S. Sidhpurwala 2020-04-15 05:14:10 UTC
Upstream patch: https://github.com/git/git/compare/v2.17.3...v2.17.4

Comment 10 Huzaifa S. Sidhpurwala 2020-04-15 05:14:54 UTC
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1824020]

Comment 11 Huzaifa S. Sidhpurwala 2020-04-15 05:17:15 UTC
Mitigation:

The most complete workaround is to disable credential helpers altogether:
~~~
git config --unset credential.helper
git config --global --unset credential.helper
git config --system --unset credential.helper
~~~

An alternative is to avoid malicious URLs:
1. Examine the hostname and username portion of URLs fed to git clone for the presence of encoded newlines (%0a) or evidence of credential-protocol injections (e.g., host=github.com)
2. Avoid using submodules with untrusted repositories (don't use clone --recurse-submodules; use git submodule update only after examining the URLs found in .gitmodules)
3. Avoid tools which may run git clone on untrusted URLs under the hood

Comment 12 errata-xmlrpc 2020-04-21 08:05:08 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:1503 https://access.redhat.com/errata/RHSA-2020:1503

Comment 13 Product Security DevOps Team 2020-04-21 10:31:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5260

Comment 14 errata-xmlrpc 2020-04-21 11:14:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1511 https://access.redhat.com/errata/RHSA-2020:1511

Comment 15 errata-xmlrpc 2020-04-21 17:19:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1518 https://access.redhat.com/errata/RHSA-2020:1518

Comment 16 errata-xmlrpc 2020-04-21 17:48:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1513 https://access.redhat.com/errata/RHSA-2020:1513

Comment 20 errata-xmlrpc 2020-08-31 09:15:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3581 https://access.redhat.com/errata/RHSA-2020:3581


Note You need to log in before you can comment on or make changes to this bug.