Bug 1583862 (CVE-2018-11235) - CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository
Summary: CVE-2018-11235 git: arbitrary code execution when recursively cloning a malic...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-11235
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1583877 1583878 1584195 1584196 1584197 1584198 1584505 1585001 1595769 1596744 1620099 1620101 1620102 1620103 1620104 1620105
Blocks: 1583883
TreeView+ depends on / blocked
 
Reported: 2018-05-29 23:08 UTC by Todd Zullinger
Modified: 2021-09-09 14:17 UTC (History)
75 users (show)

Fixed In Version: git 2.13.7, git 2.14.4, git 2.15.2, git 2.16.4, git 2.17.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-10 08:53:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1957 0 None None None 2018-06-20 23:06:17 UTC
Red Hat Product Errata RHSA-2018:2147 0 None None None 2018-07-10 08:35:14 UTC

Description Todd Zullinger 2018-05-29 23:08:10 UTC
A flaw was found in git which allows arbitrary code to be executed when running 'git clone --recurse-submodules` (or the deprecated 'git clone --recursive' synonym).  A malicious repository can include a .gitmodules submodule config file which points outside of the repository.  When git clones such a repository it can be tricked into running hooks within the cloned submodule, which is under the control of the attacker.

References:
https://public-inbox.org/git/xmqqy3g2flb6.fsf@gitster-ct.c.googlers.com/
https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html
https://news.ycombinator.com/item?id=17181238

Comment 1 Todd Zullinger 2018-05-29 23:12:54 UTC
Updated Fedora builds have been submitted for current releases:

F28: https://bodhi.fedoraproject.org/updates/FEDORA-2018-75f7624a9f
F27: https://bodhi.fedoraproject.org/updates/FEDORA-2018-080a3d7866

Sites hosting git repositories can help mitigate the propagation of this issue to unpatched git clients by enabling 'transfer.fsckObjects'.  (The hosting site should be running a patched git, of course.)

Comment 2 Sam Fowler 2018-05-30 00:17:32 UTC
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1583878]

Comment 4 Jason Shepherd 2018-05-30 06:29:58 UTC
There is a simple way to test if you installation of 'git' is vulnerable:

git init test && \
  cd test && \
  git update-index --add --cacheinfo 120000,e69de29bb2d1d6434b8b29ae775ad8c2e48c5391,.gitmodules

Reference: https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html

Comment 7 Tomas Hoger 2018-05-30 07:03:34 UTC
External References:

https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html

Comment 16 Jason Shepherd 2018-05-31 06:34:22 UTC
A user of Openshift Online does not have the ability to add new volumes. Therefore this vulnerability cannot be exploited by a user of Openshift Online by creating a volume from a GitRepo source [1]. The 'source-to-image' functionality in Openshift Online is currently affected.

[1] https://docs.openshift.com/container-platform/3.9/dev_guide/volumes.html#adding-volumes

Comment 23 Jason Shepherd 2018-06-01 06:41:02 UTC
The 'git' binary is not installed in the RHEL Atomic base image, registry.access.redhat.com/rhel7-atomic.

Comment 26 Fedora Update System 2018-06-01 12:04:16 UTC
git-2.17.1-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 33 Otheus 2018-06-20 15:43:10 UTC
Is there someone working on a patch for 1.8.3.1 (RHEL7)?

Comment 34 errata-xmlrpc 2018-06-20 23:05:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1957 https://access.redhat.com/errata/RHSA-2018:1957

Comment 35 Riccardo Schirone 2018-06-27 14:06:43 UTC
Created libgit2 tracking bugs for this issue:

Affects: fedora-all [bug 1595769]

Comment 36 errata-xmlrpc 2018-07-10 08:34:47 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2018:2147 https://access.redhat.com/errata/RHSA-2018:2147

Comment 46 Jason Shepherd 2018-08-22 12:59:24 UTC
Mitigation:

Don't create OCP source-to-image applications from source code repositories hosted by untrusted parties. Github is blocking users from pushing repositories with malicious submodules so it's less likely you can pull a malicious repository from there which triggers this vulnerability.

Comment 49 Jason Shepherd 2018-08-27 01:08:25 UTC
Statement:

This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6 as they did not include the vulnerable code.

If using OCP 3.6 make sure atomic-openshift-3.6.173.0.128-1.git.0.8da0828.el7 or later is installed on the master.

Comment 50 Ben Parees 2018-08-27 01:16:47 UTC
I was wrong, they were not the same package.  The git binary reports the same version, but the package level is different and I guess something was patched between the two.


Note You need to log in before you can comment on or make changes to this bug.