1781971 – (CVE-2019-19604) CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent

Bug 1781971 (CVE-2019-19604) - CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent

Summary: CVE-2019-19604 git: Recursive clone followed by a submodule update could exec...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2019-19604
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1781972 1784637 1784638 1784639
Blocks:	1781145
TreeView+	depends on / blocked

Reported:	2019-12-11 00:40 UTC by Pedro Sampaio
Modified:	2021-02-16 20:54 UTC (History)
CC List:	33 users (show)
Fixed In Version:	git 2.24.1, git 2.23.1, git 2.22.2, git 2.21.1, git 2.20.2
Doc Type:	If docs needed, set a value
Doc Text:	A security bypass was discovered in git, which allows arbitrary commands to be executed during the update of git submodules. A remote attacker may trick a victim user into cloning a malicious repository that initially looks fine, allowing access to bypass the security mechanisms that prevent the execution of arbitrary commands during the submodule initialization. After following an update of the repository and the submodules done by the victim user, vulnerable versions of git may use the update setting in the .gitmodules file and execute arbitrary commands.
Clone Of:
Environment:
Last Closed:	2020-05-20 21:19:19 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2019-12-11 00:40:55 UTC

The change to disallow `submodule.<name>.update=!command` entries in`.gitmodules` which was introduced v2.15.4 (and for which v2.17.3 added explicit fsck checks) fixes the vulnerability in v2.20.x where a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (CVE-2019-19604).

References:

https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.20.2.txt

Comment 1 Pedro Sampaio 2019-12-11 00:41:38 UTC

Created git tracking bugs for this issue:

Affects: fedora-all [bug 1781972]

Comment 2 Riccardo Schirone 2019-12-13 16:41:52 UTC

oss-security mailing list reference:
https://www.openwall.com/lists/oss-security/2019/12/13/1

Comment 3 Riccardo Schirone 2019-12-13 16:43:19 UTC

External References:

https://github.com/git/git/security/advisories/GHSA-cj5c-9839-g2ch

Comment 4 Riccardo Schirone 2019-12-17 10:52:02 UTC

Upstream fix:
https://github.com/git/git/commit/e904deb89d9a9669a76a426182506a084d3f6308

Comment 6 Riccardo Schirone 2019-12-17 14:06:25 UTC

Vulnerability introduced in commit https://github.com/git/git/commit/ee69b2a90c5031bffb3341c5e50653a6ecca89ac . First vulnerable upstream version is v2.20.0-rc0. Until that commit, once the submodule was initialized, the submodule.<name>.update setting in .gitmodules was not read again. Starting with commit ee69b2a90c5031bffb3341c5e50653a6ecca89ac in some cases it is possible to make git read the submodule.<name>.update setting from the .gitmodules, which could contain a command to execute.

Comment 8 Riccardo Schirone 2019-12-17 14:36:41 UTC

During initialization of submodules git correctly prevents submodule.<name>.update setting from being set to `!command` values, as that may execute arbitrary commands. However, after commit https://github.com/git/git/commit/ee69b2a90c5031bffb3341c5e50653a6ecca89ac, an update of the git repository and the git submodules would make git re-read the submodule.<name>.update setting from the .gitmodules file, which can be changed by the owner of the remote repository. During the submodule update, however, git does not check for `!command` values and it allows arbitrary commands to be executed.

Comment 10 Riccardo Schirone 2019-12-17 15:33:09 UTC

Statement:

This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6, and 7 as they did not support custom commands as a valid update setting for submodules.
This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 8 as they did no re-read the update setting from the .gitmodules file after the initialization of the submodules.

Comment 13 Pedro Sampaio 2019-12-17 21:19:07 UTC

Created libgit2 tracking bugs for this issue:

Affects: epel-6 [bug 1784638]
Affects: fedora-all [bug 1784639]


Created libgit2-glib tracking bugs for this issue:

Affects: fedora-all [bug 1784637]

Comment 16 Product Security DevOps Team 2020-05-20 21:19:19 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19604

Note You need to log in before you can comment on or make changes to this bug.

abenaiss
aileenc
amahdal
aos-bugs
besser82
bmontgom
c.david86
chazlett
chrisw
drieden
eparis
ggaughan
hhorak
i
icq
igor.raits
janstey
jburrell
jochrist
jokerman
jorton
jwon
klember
nstielau
opohorel
pbhattac
pcahyna
pstodulk
sebastian.kisela
sponnaga
tmz
vbobade
walter.pete