The change to disallow `submodule.<name>.update=!command` entries in`.gitmodules` which was introduced v2.15.4 (and for which v2.17.3 added explicit fsck checks) fixes the vulnerability in v2.20.x where a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (CVE-2019-19604). References: https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.20.2.txt
Created git tracking bugs for this issue: Affects: fedora-all [bug 1781972]
oss-security mailing list reference: https://www.openwall.com/lists/oss-security/2019/12/13/1
External References: https://github.com/git/git/security/advisories/GHSA-cj5c-9839-g2ch
Upstream fix: https://github.com/git/git/commit/e904deb89d9a9669a76a426182506a084d3f6308
Vulnerability introduced in commit https://github.com/git/git/commit/ee69b2a90c5031bffb3341c5e50653a6ecca89ac . First vulnerable upstream version is v2.20.0-rc0. Until that commit, once the submodule was initialized, the submodule.<name>.update setting in .gitmodules was not read again. Starting with commit ee69b2a90c5031bffb3341c5e50653a6ecca89ac in some cases it is possible to make git read the submodule.<name>.update setting from the .gitmodules, which could contain a command to execute.
During initialization of submodules git correctly prevents submodule.<name>.update setting from being set to `!command` values, as that may execute arbitrary commands. However, after commit https://github.com/git/git/commit/ee69b2a90c5031bffb3341c5e50653a6ecca89ac, an update of the git repository and the git submodules would make git re-read the submodule.<name>.update setting from the .gitmodules file, which can be changed by the owner of the remote repository. During the submodule update, however, git does not check for `!command` values and it allows arbitrary commands to be executed.
Statement: This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6, and 7 as they did not support custom commands as a valid update setting for submodules. This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 8 as they did no re-read the update setting from the .gitmodules file after the initialization of the submodules.
Created libgit2 tracking bugs for this issue: Affects: epel-6 [bug 1784638] Affects: fedora-all [bug 1784639] Created libgit2-glib tracking bugs for this issue: Affects: fedora-all [bug 1784637]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19604