The change to disallow `submodule.<name>.update=!command` entries in`.gitmodules` which was introduced v2.15.4 (and for which v2.17.3 added explicit fsck checks) fixes the vulnerability in v2.20.x where a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (CVE-2019-19604).
Created git tracking bugs for this issue:
Affects: fedora-all [bug 1781972]
oss-security mailing list reference:
Vulnerability introduced in commit https://github.com/git/git/commit/ee69b2a90c5031bffb3341c5e50653a6ecca89ac . First vulnerable upstream version is v2.20.0-rc0. Until that commit, once the submodule was initialized, the submodule.<name>.update setting in .gitmodules was not read again. Starting with commit ee69b2a90c5031bffb3341c5e50653a6ecca89ac in some cases it is possible to make git read the submodule.<name>.update setting from the .gitmodules, which could contain a command to execute.
During initialization of submodules git correctly prevents submodule.<name>.update setting from being set to `!command` values, as that may execute arbitrary commands. However, after commit https://github.com/git/git/commit/ee69b2a90c5031bffb3341c5e50653a6ecca89ac, an update of the git repository and the git submodules would make git re-read the submodule.<name>.update setting from the .gitmodules file, which can be changed by the owner of the remote repository. During the submodule update, however, git does not check for `!command` values and it allows arbitrary commands to be executed.
This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6, and 7 as they did not support custom commands as a valid update setting for submodules.
This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 8 as they did no re-read the update setting from the .gitmodules file after the initialization of the submodules.
Created libgit2 tracking bugs for this issue:
Affects: epel-6 [bug 1784638]
Affects: fedora-all [bug 1784639]
Created libgit2-glib tracking bugs for this issue:
Affects: fedora-all [bug 1784637]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):