Bug 1434415 (CVE-2014-9938) - CVE-2014-9938 git: git-prompt.sh does not sanitize branch names in $PS1
Summary: CVE-2014-9938 git: git-prompt.sh does not sanitize branch names in $PS1
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-9938
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1434438 1434439 1434440 1435009
Blocks: 1434417
TreeView+ depends on / blocked
 
Reported: 2017-03-21 13:14 UTC by Adam Mariš
Modified: 2019-09-29 14:08 UTC (History)
14 users (show)

Fixed In Version: git 1.9.3
Doc Type: If docs needed, set a value
Doc Text:
It was found that the git-prompt.sh script shipped with git failed to correctly handle branch names containing special characters. A specially crafted git repository could use this flaw to execute arbitrary commands if a user working with the repository configured their shell to include repository information in the prompt.
Clone Of:
Environment:
Last Closed: 2017-08-01 20:57:10 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2004 0 normal SHIPPED_LIVE Moderate: git security and bug fix update 2017-08-01 18:33:36 UTC

Description Adam Mariš 2017-03-21 13:14:46 UTC 
contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.

Upstream patch:

https://github.com/git/git/commit/8976500cbbb13270398d3b3e07a17b8cc7bff43f

PoC repository:

https://github.com/njhartwell/pw3nage
Comment 1 Adam Mariš 2017-03-21 14:01:23 UTC 
Created git tracking bugs for this issue:

Affects: epel-5 [bug 1434439]
Affects: fedora-24 [bug 1434438]
Affects: openshift-1 [bug 1434440]
Comment 2 Tomas Hoger 2017-03-22 14:38:27 UTC 
Note that there are two ways to use git-prompt.sh to add info to the shell prompt.  These methods are documented at the top of the git-prompt.sh file:

#    3a) Change your PS1 to call __git_ps1 as
#        command-substitution:
#        Bash: PS1='[\u@\h \W$(__git_ps1 " (%s)")]\$ '
#        ZSH:  setopt PROMPT_SUBST ; PS1='[%n@%m %c$(__git_ps1 " (%s)")]\$ '
#        the optional argument will be used as format string.
#    3b) Alternatively, for a slightly faster prompt, __git_ps1 can
#        be used for PROMPT_COMMAND in Bash or for precmd() in Zsh
#        with two parameters, <pre> and <post>, which are strings
#        you would put in $PS1 before and after the status string
#        generated by the git-prompt machinery.  e.g.
#        Bash: PROMPT_COMMAND='__git_ps1 "\u@\h:\w" "\\\$ "'
#          will show username, at-sign, host, colon, cwd, then
#          various status string, followed by dollar and SP, as
#          your prompt.
#        ZSH:  precmd () { __git_ps1 "%n" ":%~$ " "|%s" }
#          will show username, pipe, then various status string,
#          followed by colon, cwd, dollar and SP, as your prompt.
#        Optionally, you can supply a third argument with a printf
#        format string to finetune the output of the branch status

This issue only affected uses with __git_ps1 used in the PROMPT_COMMAND (i.e. the 3b) configurations), it did not affect uses with __git_ps1 in PS1 (i.e. the 3a) configurations).

The support for using __git_ps1 in PROMPT_COMMAND was added in git version 1.8.1 via this commit:

https://github.com/git/git/commit/1bfc51ac814125de03ddf1900245e42d6ce0d250

Therefore, git 1.7.1 as shipped with Red Hat Enterprise Linux 6 was not affected.
Comment 5 errata-xmlrpc 2017-08-01 20:52:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2004 https://access.redhat.com/errata/RHSA-2017:2004
Note You need to log in before you can comment on or make changes to this bug.