Bug 1781127 (CVE-2019-1387) - CVE-2019-1387 git: Remote code execution in recursive clones with nested submodules
Summary: CVE-2019-1387 git: Remote code execution in recursive clones with nested subm...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-1387
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1784056 1784059 1784061 1784610 1784611 1784614 1781954 1784055 1784057 1784058 1784060
Blocks: 1781145
TreeView+ depends on / blocked
 
Reported: 2019-12-09 11:46 UTC by Dhananjay Arunesh
Modified: 2020-02-17 06:17 UTC (History)
25 users (show)

Fixed In Version: git 2.24.1, git 2.23.1, git 2.22.2, git 2.21.1, git 2.20.2, git 2.19.3, git 2.18.2, git 2.17.3, git 2.16.6, git 2.15.4, git 2.14.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered where git improperly validates submodules' names used to construct git metadata paths and does not prevent them from being nested in existing directories used to store another submodule's metadata. A remote attacker could abuse this flaw to trick a victim user into cloning a malicious repository containing submodules, which, when recursively cloned, would trigger the flaw and remotely execute code on the victim's machine.
Clone Of:
Environment:
Last Closed: 2019-12-19 20:09:28 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0003 None None None 2020-01-02 10:58:30 UTC
Red Hat Product Errata RHBA-2020:0025 None None None 2020-01-06 13:23:09 UTC
Red Hat Product Errata RHBA-2020:0032 None None None 2020-01-06 21:07:06 UTC
Red Hat Product Errata RHBA-2020:0125 None None None 2020-01-16 13:09:46 UTC
Red Hat Product Errata RHBA-2020:0139 None None None 2020-01-17 15:12:55 UTC
Red Hat Product Errata RHBA-2020:0144 None None None 2020-01-21 02:23:35 UTC
Red Hat Product Errata RHBA-2020:0145 None None None 2020-01-21 02:16:30 UTC
Red Hat Product Errata RHBA-2020:0146 None None None 2020-01-21 02:20:05 UTC
Red Hat Product Errata RHBA-2020:0147 None None None 2020-01-21 02:16:33 UTC
Red Hat Product Errata RHBA-2020:0149 None None None 2020-01-21 02:16:14 UTC
Red Hat Product Errata RHBA-2020:0150 None None None 2020-01-21 02:20:16 UTC
Red Hat Product Errata RHBA-2020:0151 None None None 2020-01-21 02:20:22 UTC
Red Hat Product Errata RHBA-2020:0152 None None None 2020-01-21 02:22:58 UTC
Red Hat Product Errata RHBA-2020:0198 None None None 2020-01-22 10:07:25 UTC
Red Hat Product Errata RHBA-2020:0200 None None None 2020-01-22 12:27:27 UTC
Red Hat Product Errata RHBA-2020:0209 None None None 2020-01-23 12:51:32 UTC
Red Hat Product Errata RHBA-2020:0210 None None None 2020-01-23 12:51:06 UTC
Red Hat Product Errata RHSA-2019:4356 None None None 2019-12-19 18:43:57 UTC
Red Hat Product Errata RHSA-2020:0002 None None None 2020-01-02 08:54:01 UTC
Red Hat Product Errata RHSA-2020:0124 None None None 2020-01-16 13:50:06 UTC
Red Hat Product Errata RHSA-2020:0228 None None None 2020-01-27 08:54:14 UTC

Description Dhananjay Arunesh 2019-12-09 11:46:43 UTC
Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.

References:

https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.14.6.txt

Comment 1 Pedro Sampaio 2019-12-11 00:00:12 UTC
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1781954]

Comment 3 Riccardo Schirone 2019-12-13 16:22:15 UTC
External References:

https://github.com/git/git/security/advisories/GHSA-4wfr-gwrh-8mj2

Comment 4 Riccardo Schirone 2019-12-13 16:22:39 UTC
oss-security mailing list reference:
https://www.openwall.com/lists/oss-security/2019/12/13/1

Comment 7 Riccardo Schirone 2019-12-16 14:38:55 UTC
Submodules names are used to construct the path of the gitdir associated with the submodule, however git does not correctly validate those names, allowing a submodule gitdir to be nested inside the gitdir of another submodule. Given the gitdir directory of submodules also contains scripts that are executed by git during various operations, it is risky to allow such nested paths. In some circumstances, it is possible for an attacker to trick a user into recursively cloning a malicious repository which, when cloned, would allow the attacker to remotely execute code on the victim's machine.

Comment 8 Riccardo Schirone 2019-12-16 14:40:21 UTC
The only known exploit at this time would allow for just very targeted attacks, where the user.name, user.email and a the rough time window when the repositories will be cloned recursively are known to the attacker. However we do not exclude other ways may exist.

Comment 9 Riccardo Schirone 2019-12-16 14:51:25 UTC
Statement:

This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6 as they did not use submodules names to construct git metadata paths.

Comment 11 Riccardo Schirone 2019-12-16 15:28:20 UTC
Mitigation:

Avoid running `git clone --recurse-submodules` and `git submodule update` with untrusted repositories.

Comment 12 msiddiqu 2019-12-17 20:43:40 UTC
Created libgit2 tracking bugs for this issue:

Affects: epel-6 [bug 1784611]
Affects: fedora-all [bug 1784610]

Comment 13 msiddiqu 2019-12-17 20:49:46 UTC
Created libgit2-glib tracking bugs for this issue:

Affects: fedora-all [bug 1784614]

Comment 15 Jason Shepherd 2019-12-18 02:10:12 UTC
OpenShift Container Platform 3, and 4 use git from Red Hat Enterprise Linux (RHEL). Once an update for git in RHEL is available it will be rebuilt into affected OCP container images.

Comment 17 errata-xmlrpc 2019-12-19 18:43:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:4356 https://access.redhat.com/errata/RHSA-2019:4356

Comment 18 Product Security DevOps Team 2019-12-19 20:09:28 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1387

Comment 19 errata-xmlrpc 2020-01-02 08:53:56 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:0002 https://access.redhat.com/errata/RHSA-2020:0002

Comment 24 errata-xmlrpc 2020-01-16 13:50:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0124 https://access.redhat.com/errata/RHSA-2020:0124

Comment 26 errata-xmlrpc 2020-01-27 08:54:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0228 https://access.redhat.com/errata/RHSA-2020:0228


Note You need to log in before you can comment on or make changes to this bug.