1935158 – (CVE-2021-21300) CVE-2021-21300 git: remote code execution during clone operation on case-insensitive filesystems

Bug 1935158 (CVE-2021-21300) - CVE-2021-21300 git: remote code execution during clone operation on case-insensitive filesystems

Summary: CVE-2021-21300 git: remote code execution during clone operation on case-inse...

Keywords:
Status:	ASSIGNED
Alias:	CVE-2021-21300
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1935529 1935530 1935531 1935532 1935533 1937166 1937343 1937344 1937345 1937346 1937347
Blocks:	1935161
TreeView+	depends on / blocked

Reported:	2021-03-04 13:17 UTC by Guilherme de Almeida Suckevicz
Modified:	2024-02-19 12:37 UTC (History)
CC List:	18 users (show)
Fixed In Version:	git 2.17.6, git 2.18.5, git 2.19.6, git 2.20.5, git 2.21.4, git 2.22.5, git 2.23.4, git 2.24.4, git 2.25.5, git 2.26.3, git 2.27.1, git 2.28.1, git 2.29.3, git 2.30.2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in git, in which a specially-crafted repository that contains a symbolic link may cause just-checked out script to be executed while cloning.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)
git upstream patch against v2.17.6 (11.29 KB, patch) 2021-03-05 03:44 UTC, Huzaifa S. Sidhpurwala	no flags	Details \| Diff
View All

Description Guilherme de Almeida Suckevicz 2021-03-04 13:17:29 UTC

On case-insensitive filesystems, with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone.

Comment 3 Huzaifa S. Sidhpurwala 2021-03-05 03:44:52 UTC

Created attachment 1760809 [details]
git upstream patch against v2.17.6

Comment 6 Huzaifa S. Sidhpurwala 2021-03-10 02:56:48 UTC

Created git tracking bugs for this issue:

Affects: fedora-all [bug 1937166]

Comment 8 Huzaifa S. Sidhpurwala 2021-03-10 02:58:35 UTC

Mitigation:

If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work.
Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. before cloning), the attack is foiled.
As always, it is best to avoid cloning repositories from untrusted sources.

Comment 10 Todd Zullinger 2021-03-10 06:27:50 UTC

(In reply to Huzaifa S. Sidhpurwala from comment #9)
> Statement:
> 
> This vulnerability affects case-insensitive file systems, therefore typical
> Linux scenarios should be safe. However as per upstream exploitation is even
> possible on Linux under certain circumstances.

Those circumstance would be running git on a case-insensitive filesystem with support for symbolic links when certain clean/smudge filters are configured globally (e.g. Git LFS), correct?  I know when I read the announcement earlier today I didn't think many Fedora Linux users should be vulnerable to this issue.

Comment 11 Florencio Cano 2021-03-10 12:44:26 UTC

Acknowledgments:

Name: Matheus Tavares

Comment 13 Todd Cullum 2021-03-22 19:05:13 UTC

Statement:

This vulnerability affects case-insensitive file systems, therefore typical Linux scenarios should be safe. However as per upstream exploitation is even possible on Linux under certain circumstances.

Red Hat CodeReady Studio 12 is not affected by this flaw because Jboss Forge Addon uses jgit which is a different (Java) git implementation than git itself.

Note You need to log in before you can comment on or make changes to this bug.