Bug 1781971 (CVE-2019-19604) - CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent
Summary: CVE-2019-19604 git: Recursive clone followed by a submodule update could exec...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-19604
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1784637 1784638 1784639 1781972
Blocks: 1781145
TreeView+ depends on / blocked
 
Reported: 2019-12-11 00:40 UTC by Pedro Sampaio
Modified: 2020-05-20 21:19 UTC (History)
33 users (show)

Fixed In Version: git 2.24.1, git 2.23.1, git 2.22.2, git 2.21.1, git 2.20.2
Doc Type: If docs needed, set a value
Doc Text:
A security bypass was discovered in git, which allows arbitrary commands to be executed during the update of git submodules. A remote attacker may trick a victim user into cloning a malicious repository that initially looks fine, allowing access to bypass the security mechanisms that prevent the execution of arbitrary commands during the submodule initialization. After following an update of the repository and the submodules done by the victim user, vulnerable versions of git may use the update setting in the .gitmodules file and execute arbitrary commands.
Clone Of:
Environment:
Last Closed: 2020-05-20 21:19:19 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2019-12-11 00:40:55 UTC
The change to disallow `submodule.<name>.update=!command` entries in`.gitmodules` which was introduced v2.15.4 (and for which v2.17.3 added explicit fsck checks) fixes the vulnerability in v2.20.x where a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (CVE-2019-19604).

References:

https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.20.2.txt

Comment 1 Pedro Sampaio 2019-12-11 00:41:38 UTC
Created git tracking bugs for this issue:

Affects: fedora-all [bug 1781972]

Comment 2 Riccardo Schirone 2019-12-13 16:41:52 UTC
oss-security mailing list reference:
https://www.openwall.com/lists/oss-security/2019/12/13/1

Comment 3 Riccardo Schirone 2019-12-13 16:43:19 UTC
External References:

https://github.com/git/git/security/advisories/GHSA-cj5c-9839-g2ch

Comment 4 Riccardo Schirone 2019-12-17 10:52:02 UTC
Upstream fix:
https://github.com/git/git/commit/e904deb89d9a9669a76a426182506a084d3f6308

Comment 6 Riccardo Schirone 2019-12-17 14:06:25 UTC
Vulnerability introduced in commit https://github.com/git/git/commit/ee69b2a90c5031bffb3341c5e50653a6ecca89ac . First vulnerable upstream version is v2.20.0-rc0. Until that commit, once the submodule was initialized, the submodule.<name>.update setting in .gitmodules was not read again. Starting with commit ee69b2a90c5031bffb3341c5e50653a6ecca89ac in some cases it is possible to make git read the submodule.<name>.update setting from the .gitmodules, which could contain a command to execute.

Comment 8 Riccardo Schirone 2019-12-17 14:36:41 UTC
During initialization of submodules git correctly prevents submodule.<name>.update setting from being set to `!command` values, as that may execute arbitrary commands. However, after commit https://github.com/git/git/commit/ee69b2a90c5031bffb3341c5e50653a6ecca89ac, an update of the git repository and the git submodules would make git re-read the submodule.<name>.update setting from the .gitmodules file, which can be changed by the owner of the remote repository. During the submodule update, however, git does not check for `!command` values and it allows arbitrary commands to be executed.

Comment 10 Riccardo Schirone 2019-12-17 15:33:09 UTC
Statement:

This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6, and 7 as they did not support custom commands as a valid update setting for submodules.
This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 8 as they did no re-read the update setting from the .gitmodules file after the initialization of the submodules.

Comment 13 Pedro Sampaio 2019-12-17 21:19:07 UTC
Created libgit2 tracking bugs for this issue:

Affects: epel-6 [bug 1784638]
Affects: fedora-all [bug 1784639]


Created libgit2-glib tracking bugs for this issue:

Affects: fedora-all [bug 1784637]

Comment 16 Product Security DevOps Team 2020-05-20 21:19:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19604


Note You need to log in before you can comment on or make changes to this bug.