A flaw was found in git which allows an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with --recurse-submodules. References: https://bugzilla.novell.com/show_bug.cgi?id=1110949 https://groups.google.com/forum/#!topic/git-packagers/fNLXf6LQC08
Created git tracking bugs for this issue: Affects: fedora-all [bug 1636620] Created libgit2 tracking bugs for this issue: Affects: fedora-all [bug 1636621]
The relevant upstream commits which fix the issue: https://github.com/git/git/commit/98afac7a7cefdca0d2c4917dd8066a59f7088265 https://github.com/git/git/commit/f6adec4e329ef0e25e14c63b735a5956dc67b8bc https://github.com/git/git/commit/273c61496f88c6495b886acb1041fe57965151da For the fsck check: https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46 https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
Statement: OpenShift Container Platform (OCP) source-to-image uses the git client packaged with the OCP container images. Since RHEL7 and its associated images are impacted, source-to-image is also impacted. The atomic-openshift package running on the masters controls the code that determines the source-to-image build image in use, therefore a cluster update is required to patch this issue. Full instructions will be provided in Security Errata provided for this issue. In OCP 3.6 and earlier, source-to-image executes in a privileged container on the node. Therefore the severity of this CVE is important for these versions. OCP 3.7 and later execute source-to-image git pulls in an unprivileged init container.
git does not properly pass the `url` and `path` fields of a submodule to the git-clone command, when recursively cloning a repository with git sub-modules. If the `url` field begins with a `-`(dash) this is going to be interpreted as an option.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3408 https://access.redhat.com/errata/RHSA-2018:3408
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3541 https://access.redhat.com/errata/RHSA-2018:3541
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0316 https://access.redhat.com/errata/RHSA-2020:0316