The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. References: https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.14.6.txt
Created git tracking bugs for this issue: Affects: fedora-all [bug 1781955]
oss-security mailing list reference: https://www.openwall.com/lists/oss-security/2019/12/13/1
External References: https://github.com/git/git/security/advisories/GHSA-2pw3-gwg9-8pqr
Upstream fix: https://github.com/git/git/commit/68061e3470210703cb15594194718d35094afdc0
Mitigation: Avoid running `git fast-import` on untrusted input.
Command `git fast-import` accepts, among other things, the in-stream command `feature export-marks=<path>`, which lets the stream write marks to an arbitrary path. If an attacker can control the input stream, he could overwrite an arbitrary path, though he could not fully control the content of the file because it has a standard format (each line is of the form `:markid SHA-1`).
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:4356 https://access.redhat.com/errata/RHSA-2019:4356
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-1348
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:0002 https://access.redhat.com/errata/RHSA-2020:0002
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0228 https://access.redhat.com/errata/RHSA-2020:0228